Project

General

Profile

Actions
Copy link

Task #6352

closed
JF NE

Task #6308: detect/analyzer: add more keyword details

detect/analyzer: add more details for the tcp window keyword

Task #6352: detect/analyzer: add more details for the tcp window keyword

Added by Juliana Fajardini Reichow over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Nancy Enos
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:
Beginner, C, Outreachy

Description

Add more details to the tcp window keyword engine analysis output.

See what the TCP windows keyword has on https://docs.suricata.io/en/latest/rules/header-keywords.html#window

There are more general explanations in the parent task.

Related issues 2 (0 open2 closed)

Copied from Suricata - Task #6351: detect/analyzer: add more details for the xbits keywordClosedJames KadduActions
Copied to Suricata - Task #6353: detect/analyzer: add more details for the tcp seq keywordClosedDaniel OlatunjiActions

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #1

  • Copied from Task #6351: detect/analyzer: add more details for the xbits keyword added

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #2

  • Copied to Task #6353: detect/analyzer: add more details for the tcp seq keyword added

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #3

  • Target version changed from 8.0.0-beta1 to TBD

NE Updated by Nancy Enos over 1 year ago Actions
Copy link
 #4

I would like to work on this ticket, should i just assign it to myself?

also am not sure how to represent the negation detail of tcp-window.

jb_set_bool(js, "negation", wd->negated);

thats what am thinking

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #5

Nancy Enos wrote in #note-4:

I would like to work on this ticket, should i just assign it to myself?

Hi, yes, please feel free to assign it to yourself.

also am not sure how to represent the negation detail of tcp-window.

jb_set_bool(js, "negation", wd->negated);

thats what am thinking

Checking some suricata-verify tests that have keywords that allow for negation, I see that we usually use negated, so I would go with that:

jb_set_bool(js, "negated", wd->negated);

NE Updated by Nancy Enos over 1 year ago Actions
Copy link
 #6

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Nancy Enos

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #7

  • Status changed from Assigned to In Progress

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #8

  • Status changed from In Progress to In Review

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #9

  • Target version changed from TBD to 8.0.0-beta1

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #10

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom