Suricata

Hi, can this ticket please be assigned to me?

Hadiqa Alamdar Bukhari wrote in #note-3:

Hi, can this ticket please be assigned to me?

Please feel free to assign it to yourself. Thanks for your interest :)

1. data ie payload keywords
2. data length which is the tcp header length.

Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.

Hadiqa Alamdar Bukhari wrote in #note-7:

https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:

1. data ie payload keywords
2. data length which is the tcp header length.

Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.

Hi, Hadiqa!
Well done with the research! :) This keyword is indeed a sticky buffer and these seem to be already covered by mpm and pkt_engines sections. I don't think we need to repeat them. Thoughts, @Juliana Fajardini Reichow ?

Hadiqa Alamdar Bukhari wrote in #note-7:

https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:

1. data ie payload keywords
2. data length which is the tcp header length.

Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.

Trying to look for a somewhat similar keyword case - http_header -, when I look at the SV test for it (https://github.com/OISF/suricata-verify/tree/master/tests/rules/http-header), this makes me expect that the `tcphdr` engine-analysis output would do something similar. Thinking of the rule used as example in the documentation

alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S,12; tcp.hdr; content:"|02 04|"; offset:20; byte_test:2,<,536,0,big,relative; sid:1234; rev:5;)

Thinking a bit more, I think that the `content` part could probably use the DumpContent function https://github.com/OISF/suricata/blob/2fe2d82506f5697d45ce28642bd3bb3780f3b369/src/detect-engine-analyzer.c#L684, even.