Added by Philippe Antoine over 3 years ago. Updated over 2 years ago.
Description
Have a Wireshark module/plugin that helps to visualize how a Suricata rule matches its different contents / pcres step by step
As a workaround for now: https://github.com/google/gonids/blob/master/rule.go#L608 can match a part of a pcap matching with a rule (when the rule does already trigger the capture)
How do you use gonids exactly ?
The way I see this ticket work is a new eve event type like "rule trace" or something, that would dump the matching steps from the detection engine, logging:
- prefilters called
- rule keywords called
- content inspection step my step, including matching offsets, etc
This could then be used to construct the "story" of how a match (or a non-match) came to be, and it could be used visualize outside of suri, like in Wireshark.
I have some very crude code for this around the "content inspection" code.