Project

General

Profile

Actions

Task #6356

open

Task #6308: detect/analyzer: add more keyword details

detect/analyzer: add more details for the tcp.hdr keyword

Added by Juliana Fajardini Reichow over 1 year ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Beginner, C, Outreachy

Description

Add more details to the tcp.hdr keyword engine analysis output.

See what the tcp.hdr keyword has on https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr

There are more general explanations in the parent task.


Related issues 2 (1 open1 closed)

Copied from Suricata - Task #6355: detect/analyzer: add more details for the tcp.mss keywordClosedDaniel OlatunjiActions
Copied to Suricata - Task #6358: detect/analyzer: add more details for the ICMP itype keywordAssignedCommunity TicketActions
Actions #1

Updated by Juliana Fajardini Reichow over 1 year ago

  • Copied from Task #6355: detect/analyzer: add more details for the tcp.mss keyword added
Actions #2

Updated by Juliana Fajardini Reichow over 1 year ago

  • Copied to Task #6358: detect/analyzer: add more details for the ICMP itype keyword added
Actions #3

Updated by Hadiqa Alamdar Bukhari about 1 year ago

Hi, can this ticket please be assigned to me?

Actions #4

Updated by Juliana Fajardini Reichow about 1 year ago

Hadiqa Alamdar Bukhari wrote in #note-3:

Hi, can this ticket please be assigned to me?

Please feel free to assign it to yourself. Thanks for your interest :)

Actions #5

Updated by Hadiqa Alamdar Bukhari about 1 year ago

  • Assignee changed from Community Ticket to Hadiqa Alamdar Bukhari
Actions #6

Updated by Hadiqa Alamdar Bukhari about 1 year ago

  • Status changed from New to In Progress
Actions #7

Updated by Hadiqa Alamdar Bukhari about 1 year ago

https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
  1. data ie payload keywords
  2. data length which is the tcp header length.

Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.

Actions #8

Updated by Shivani Bhardwaj about 1 year ago

Hadiqa Alamdar Bukhari wrote in #note-7:

https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
  1. data ie payload keywords
  2. data length which is the tcp header length.

Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.

Hi, Hadiqa!
Well done with the research! :) This keyword is indeed a sticky buffer and these seem to be already covered by mpm and pkt_engines sections. I don't think we need to repeat them. Thoughts, @Juliana Fajardini Reichow ?

Actions #9

Updated by Juliana Fajardini Reichow about 1 year ago

Hadiqa Alamdar Bukhari wrote in #note-7:

https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
  1. data ie payload keywords
  2. data length which is the tcp header length.

Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.

Trying to look for a somewhat similar keyword case - http_header -, when I look at the SV test for it (https://github.com/OISF/suricata-verify/tree/master/tests/rules/http-header), this makes me expect that the `tcphdr` engine-analysis output would do something similar. Thinking of the rule used as example in the documentation

alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S,12; tcp.hdr; content:"|02 04|"; offset:20; byte_test:2,<,536,0,big,relative; sid:1234; rev:5;)

I would expect the json object to show the content and offset, at least - since we already have a case for the `bytetest` keyword, so probably don't need to cover that bit.

Thinking a bit more, I think that the `content` part could probably use the DumpContent function https://github.com/OISF/suricata/blob/2fe2d82506f5697d45ce28642bd3bb3780f3b369/src/detect-engine-analyzer.c#L684, even.

Actions #10

Updated by Hadiqa Alamdar Bukhari about 1 year ago

  • Status changed from In Progress to New
  • Assignee changed from Hadiqa Alamdar Bukhari to Community Ticket
Actions #11

Updated by Victor Julien 6 months ago

  • Target version changed from 8.0.0-beta1 to TBD
Actions

Also available in: Atom PDF