Project

General

Profile

Bug #635

Some keywords missing in list-keyword command

Added by Eric Leblond over 6 years ago. Updated about 1 month ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

A keyword like 'tcp-pkt' does not appear in list-keyword output because it is only defined by a string match in detect-engine-proto.c

We should find a way to declare this keyword and have them displayed in list-keyword option.


Related issues

Related to Optimization #2602: add keywords to --list-keywords outputClosedActions
Related to Feature #1872: add --list-decoder-protos or similarAssignedActions

History

#1

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to TBD
#2

Updated by Victor Julien about 1 year ago

  • Target version changed from TBD to Documentation
#3

Updated by Victor Julien about 1 year ago

  • Assignee changed from Eric Leblond to OISF Dev
#4

Updated by Victor Julien about 1 year ago

  • Assignee deleted (OISF Dev)
  • Effort set to low
  • Difficulty set to low
#5

Updated by Travis Green 8 months ago

  • Assignee set to Travis Green
#6

Updated by Travis Green 8 months ago

  • Assignee deleted (Travis Green)
#7

Updated by Travis Green 8 months ago

Also tcp-stream

Did not find a place to add to sigmatch_table.

#8

Updated by Victor Julien 5 months ago

#9

Updated by Victor Julien 5 months ago

  • Assignee set to Travis Green
  • Target version changed from Documentation to 5.0beta1

These could be hardcoded into the list-keywords output. Travis can you take a stab at this?

#10

Updated by Victor Julien 3 months ago

  • Target version changed from 5.0beta1 to 5.0rc1
#11

Updated by Victor Julien 2 months ago

  • Assignee changed from Travis Green to OISF Dev
#12

Updated by Andreas Herz about 2 months ago

AFAICS this is true for all of those defined in detect-engine-proto.c so is it still the better approach to go for hardcoding them?

#13

Updated by Andreas Herz about 2 months ago

https://github.com/OISF/suricata/pull/3902

Although we can also go for the suggestion from #1872 what do you prefer?

#14

Updated by Andreas Herz about 2 months ago

  • Related to Feature #1872: add --list-decoder-protos or similar added
#15

Updated by Philippe Antoine about 2 months ago

One solution may be to add a test that will do a diff between the output of `suricata --list-keyword` and `grep strcasecmp src/detect-engine-proto.c | cut -d'"' -f2`

#16

Updated by Victor Julien about 1 month ago

  • Assignee changed from OISF Dev to Andreas Herz

Andreas I think I like #1872 better for solving this indeed.

#17

Updated by Andreas Herz about 1 month ago

I agree.

Should we add another line at the "Supported Keywords" output to make sure folks know that there are more specific keywords available as well?

Just want to avoid people missing keywords cause they missed they are listed in another section.

Also available in: Atom PDF