Project

General

Profile

Actions

Task #6354

closed

Task #6308: detect/analyzer: add more keyword details

detect/analyzer: add more details for the tcp ack keyword

Added by Juliana Fajardini Reichow about 1 year ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Beginner, C, Outreachy

Description

Add more details to the tcp ack keyword engine analysis output.

See what the TCP ack keyword has on https://docs.suricata.io/en/latest/rules/header-keywords.html#ack

There are more general explanations in the parent task.


Related issues 2 (0 open2 closed)

Copied from Suricata - Task #6353: detect/analyzer: add more details for the tcp seq keywordClosedDaniel OlatunjiActions
Copied to Suricata - Task #6355: detect/analyzer: add more details for the tcp.mss keywordClosedDaniel OlatunjiActions
Actions #1

Updated by Juliana Fajardini Reichow about 1 year ago

  • Copied from Task #6353: detect/analyzer: add more details for the tcp seq keyword added
Actions #2

Updated by Juliana Fajardini Reichow about 1 year ago

  • Copied to Task #6355: detect/analyzer: add more details for the tcp.mss keyword added
Actions #3

Updated by Daniel Olatunji about 1 year ago

Can I claim this? It's a bit challenging for me, but it has taught quite a lot just for the little time I've spent looking around, I love it.

Actions #4

Updated by Juliana Fajardini Reichow about 1 year ago

Yes, please assign the ticket to yourself, and thanks for asking! :)

Actions #5

Updated by Daniel Olatunji about 1 year ago

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Actions #6

Updated by Daniel Olatunji about 1 year ago

  • Status changed from New to In Progress
  • Assignee changed from Community Ticket to Daniel Olatunji
Actions #7

Updated by Juliana Fajardini Reichow about 1 year ago

Daniel Olatunji wrote in #note-5:

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125

Actions #8

Updated by Juliana Fajardini Reichow about 1 year ago

One small extra request: I've noticed that there's a typo in the tcp.ack keyword documentation. On the first line, it reads "(...) previous (data)-bytes send by (...)" it should actually be "sent". Could you also fix that, in a separate commit?

Thanks a lot in advance :)

Actions #9

Updated by Daniel Olatunji about 1 year ago

Juliana Fajardini Reichow wrote in #note-7:

Daniel Olatunji wrote in #note-5:

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125

Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.

Actions #10

Updated by Daniel Olatunji about 1 year ago

Juliana Fajardini Reichow wrote in #note-8:

One small extra request: I've noticed that there's a typo in the tcp.ack keyword documentation. On the first line, it reads "(...) previous (data)-bytes send by (...)" it should actually be "sent". Could you also fix that, in a separate commit?

Thanks a lot in advance :)

Yes! I noticed it earlier.

Will do.

Actions #11

Updated by Juliana Fajardini Reichow about 1 year ago

Daniel Olatunji wrote in #note-9:

Juliana Fajardini Reichow wrote in #note-7:

Daniel Olatunji wrote in #note-5:

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125

Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.

Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?

This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).

If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56

For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790f

Do those help you with the task?

Actions #12

Updated by Daniel Olatunji about 1 year ago

Juliana Fajardini Reichow wrote in #note-11:

Daniel Olatunji wrote in #note-9:

Juliana Fajardini Reichow wrote in #note-7:

Daniel Olatunji wrote in #note-5:

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125

Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.

Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?

This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).

If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56

For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790f

Do those help you with the task?

Ouuuu! Thank you for the in-depth explanation, I didn't know I would have to work with the codes.

You see, I'm not well versed it either C or Rust; I usually just understand some of the codes because of general programming knwoledge.

Though, I'll still look into it if it's something I can manage with; if not, I'll unclaim it.

Actions #13

Updated by Juliana Fajardini Reichow about 1 year ago

Daniel Olatunji wrote in #note-12:

Juliana Fajardini Reichow wrote in #note-11:

Daniel Olatunji wrote in #note-9:

Juliana Fajardini Reichow wrote in #note-7:

Daniel Olatunji wrote in #note-5:

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125

Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.

Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?

This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).

If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56

For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790f

Do those help you with the task?

Ouuuu! Thank you for the in-depth explanation, I didn't know I would have to work with the codes.

You see, I'm not well versed it either C or Rust; I usually just understand some of the codes because of general programming knwoledge.

Though, I'll still look into it if it's something I can manage with; if not, I'll unclaim it.

I encourage you to give it a try, and reach out, if you need help.
The reason for that is that both our projects will involve coding, so it is important that you try those waters now, as you're applying for our internship projects :)

Actions #14

Updated by Daniel Olatunji about 1 year ago

Juliana Fajardini Reichow wrote in #note-13:

Daniel Olatunji wrote in #note-12:

Juliana Fajardini Reichow wrote in #note-11:

Daniel Olatunji wrote in #note-9:

Juliana Fajardini Reichow wrote in #note-7:

Daniel Olatunji wrote in #note-5:

Juliana Fajardini Reichow wrote in #note-4:

Yes, please assign the ticket to yourself, and thanks for asking! :)

But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?

Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125

Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.

Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?

This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).

If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56

For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790f

Do those help you with the task?

Ouuuu! Thank you for the in-depth explanation, I didn't know I would have to work with the codes.

You see, I'm not well versed it either C or Rust; I usually just understand some of the codes because of general programming knwoledge.

Though, I'll still look into it if it's something I can manage with; if not, I'll unclaim it.

I encourage you to give it a try, and reach out, if you need help.
The reason for that is that both our projects will involve coding, so it is important that you try those waters now, as you're applying for our internship projects :)

Sure! I'll give it a try.
Thank you :).

Actions #15

Updated by Daniel Olatunji about 1 year ago

  • Status changed from In Progress to Resolved
Actions #17

Updated by Philippe Antoine 10 months ago

  • Status changed from Resolved to In Review
Actions #18

Updated by Juliana Fajardini Reichow 8 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF