Task #6308
opendetect/analyzer: add more keyword details
Description
This is an umbrella ticket.
When running Suricata with --engine-analysis mode (https://docs.suricata.io/en/latest/command-line-options.html?highlight=engine%20analysis#cmdoption-engine-analysis), the engine generates a profile report on whatever rules it had as input. See more at https://docs.suricata.io/en/latest/configuration/suricata-yaml.html?highlight=engine-analysis#engine-analysis.
The purpose of this task is to improve the said report, specifically the `postmatch` section, which expands the keyword matches for each rule.
The main goal is to expose the keyword's properties for a JSON object in the key-value format.
The keyword will have corresponding source files that will help you know what is the keyword name recognized by the engine, as well as the other fields we are interested in exposing to the engine analysis report.
The details about the keyword should be used to create the JSON object, named after the keyword you're working with.
The JsonBuilder will have the needed functions for that.
Feel free to use the listed PR here, as well as existing code in detect-engine-analyzer.c function DumpMatches, as examples.
This commit shows an example for adding details for byte_test and byte_jump - https://github.com/OISF/suricata/pull/8625/commits/325000ca2bd72edd802122a3d25988183622a69f
This PR contains work for adding details to the `ipopts` keyword: https://github.com/OISF/suricata/pull/9487
please note how the PR also links a Suricata-verify related work for testing the new output: https://github.com/OISF/suricata-verify/pull/1387
Updated by Juliana Fajardini Reichow over 1 year ago
- Description updated (diff)
Updated by Juliana Fajardini Reichow about 1 year ago
- Description updated (diff)
Updated by Juliana Fajardini Reichow about 2 months ago
- Target version changed from 8.0.0-beta1 to 8.0.0