Task #6354
closedTask #6308: detect/analyzer: add more keyword details
detect/analyzer: add more details for the tcp ack keyword
Added by Juliana Fajardini Reichow about 1 year ago. Updated 8 months ago.
Description
Add more details to the tcp ack keyword engine analysis output.
See what the TCP ack keyword has on https://docs.suricata.io/en/latest/rules/header-keywords.html#ack
There are more general explanations in the parent task.
Updated by Juliana Fajardini Reichow about 1 year ago
- Copied from Task #6353: detect/analyzer: add more details for the tcp seq keyword added
Updated by Juliana Fajardini Reichow about 1 year ago
- Copied to Task #6355: detect/analyzer: add more details for the tcp.mss keyword added
Updated by Daniel Olatunji about 1 year ago
Can I claim this? It's a bit challenging for me, but it has taught quite a lot just for the little time I've spent looking around, I love it.
Updated by Juliana Fajardini Reichow about 1 year ago
Yes, please assign the ticket to yourself, and thanks for asking! :)
Updated by Daniel Olatunji about 1 year ago
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Updated by Daniel Olatunji about 1 year ago
- Status changed from New to In Progress
- Assignee changed from Community Ticket to Daniel Olatunji
Updated by Juliana Fajardini Reichow about 1 year ago
Daniel Olatunji wrote in #note-5:
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125
Updated by Juliana Fajardini Reichow about 1 year ago
One small extra request: I've noticed that there's a typo in the tcp.ack keyword documentation. On the first line, it reads "(...) previous (data)-bytes send by (...)" it should actually be "sent". Could you also fix that, in a separate commit?
Thanks a lot in advance :)
Updated by Daniel Olatunji about 1 year ago
Juliana Fajardini Reichow wrote in #note-7:
Daniel Olatunji wrote in #note-5:
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125
Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.
Updated by Daniel Olatunji about 1 year ago
Juliana Fajardini Reichow wrote in #note-8:
One small extra request: I've noticed that there's a typo in the tcp.ack keyword documentation. On the first line, it reads "(...) previous (data)-bytes send by (...)" it should actually be "sent". Could you also fix that, in a separate commit?
Thanks a lot in advance :)
Yes! I noticed it earlier.
Will do.
Updated by Juliana Fajardini Reichow about 1 year ago
Daniel Olatunji wrote in #note-9:
Juliana Fajardini Reichow wrote in #note-7:
Daniel Olatunji wrote in #note-5:
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.
Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?
This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).
If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56
For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790f
Do those help you with the task?
Updated by Daniel Olatunji about 1 year ago
Juliana Fajardini Reichow wrote in #note-11:
Daniel Olatunji wrote in #note-9:
Juliana Fajardini Reichow wrote in #note-7:
Daniel Olatunji wrote in #note-5:
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.
Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?
This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).
If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790fDo those help you with the task?
Ouuuu! Thank you for the in-depth explanation, I didn't know I would have to work with the codes.
You see, I'm not well versed it either C or Rust; I usually just understand some of the codes because of general programming knwoledge.
Though, I'll still look into it if it's something I can manage with; if not, I'll unclaim it.
Updated by Juliana Fajardini Reichow about 1 year ago
Daniel Olatunji wrote in #note-12:
Juliana Fajardini Reichow wrote in #note-11:
Daniel Olatunji wrote in #note-9:
Juliana Fajardini Reichow wrote in #note-7:
Daniel Olatunji wrote in #note-5:
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.
Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?
This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).
If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790fDo those help you with the task?
Ouuuu! Thank you for the in-depth explanation, I didn't know I would have to work with the codes.
You see, I'm not well versed it either C or Rust; I usually just understand some of the codes because of general programming knwoledge.
Though, I'll still look into it if it's something I can manage with; if not, I'll unclaim it.
I encourage you to give it a try, and reach out, if you need help.
The reason for that is that both our projects will involve coding, so it is important that you try those waters now, as you're applying for our internship projects :)
Updated by Daniel Olatunji about 1 year ago
Juliana Fajardini Reichow wrote in #note-13:
Daniel Olatunji wrote in #note-12:
Juliana Fajardini Reichow wrote in #note-11:
Daniel Olatunji wrote in #note-9:
Juliana Fajardini Reichow wrote in #note-7:
Daniel Olatunji wrote in #note-5:
Juliana Fajardini Reichow wrote in #note-4:
Yes, please assign the ticket to yourself, and thanks for asking! :)
But I'm confused about something, the value for "ack" can be infinite, how do I handle that? I was thinking I could use "tcp.flag:A"?
Could you clarify what do you mean when you say it can be infinite? If you check detect-tcp-ack.c, ack is defined as uint23. Does that help you?
cf https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L125Yes, it does help. But then, I still do not know how to go about how to match the "Acknowledgement number" to be included in the rule.
Can you elaborate on what do you mean by matching the acknowledgment number to be included in the rule?
This task is not to include anything new to the rule itself, but to add details to the information that is listed when Suricata analyses all added rules (running this test should help you understand what the output looks like: https://github.com/OISF/suricata-verify/pull/1387/files).
If you check this function, you'll see how we select the keyword we want to add details to: https://github.com/OISF/suricata/blob/master/src/detect-engine-analyzer.c#L721
If you check the keyword registration, you'll have access to how the engine refers to that keyword, internally: https://github.com/OISF/suricata/blob/master/src/detect-tcp-ack.c#L56For logging the value, in the tcp.ack case, ack is an integer, so look for JsonBuilder functions to log out that type of info (check function here: https://github.com/OISF/suricata/blob/master/rust/src/jsonbuilder.rs)
This is another work for adding keyword details: https://github.com/OISF/suricata/pull/8625/commits/2b85ab0ba18741f2d2873570cd5525c0f916790fDo those help you with the task?
Ouuuu! Thank you for the in-depth explanation, I didn't know I would have to work with the codes.
You see, I'm not well versed it either C or Rust; I usually just understand some of the codes because of general programming knwoledge.
Though, I'll still look into it if it's something I can manage with; if not, I'll unclaim it.
I encourage you to give it a try, and reach out, if you need help.
The reason for that is that both our projects will involve coding, so it is important that you try those waters now, as you're applying for our internship projects :)
Sure! I'll give it a try.
Thank you :).
Updated by Daniel Olatunji about 1 year ago
- Status changed from In Progress to Resolved
Updated by Daniel Olatunji about 1 year ago
PR for review(Suricata): https://github.com/OISF/suricata/pull/9605
PR for review(Suricata-verify): https://github.com/OISF/suricata-verify/pull/1423
Updated by Philippe Antoine 10 months ago
- Status changed from Resolved to In Review
Updated by Juliana Fajardini Reichow 8 months ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/10266