Task #6356
openTask #6308: detect/analyzer: add more keyword details
detect/analyzer: add more details for the tcp.hdr keyword
Description
Add more details to the tcp.hdr keyword engine analysis output.
See what the tcp.hdr keyword has on https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
There are more general explanations in the parent task.
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Copied from Task #6355: detect/analyzer: add more details for the tcp.mss keyword added
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Copied to Task #6358: detect/analyzer: add more details for the ICMP itype keyword added
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
Hi, can this ticket please be assigned to me?
JF Updated by Juliana Fajardini Reichow over 2 years ago
Hadiqa Alamdar Bukhari wrote in #note-3:
Hi, can this ticket please be assigned to me?
Please feel free to assign it to yourself. Thanks for your interest :)
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
- Assignee changed from Community Ticket to Hadiqa Alamdar Bukhari
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
- Status changed from New to In Progress
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
- data ie payload keywords
- data length which is the tcp header length.
Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.
SB Updated by Shivani Bhardwaj over 2 years ago
Hadiqa Alamdar Bukhari wrote in #note-7:
https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
- data ie payload keywords
- data length which is the tcp header length.
Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.
Hi, Hadiqa!
Well done with the research! :) This keyword is indeed a sticky buffer and these seem to be already covered by mpm and pkt_engines sections. I don't think we need to repeat them. Thoughts, @Juliana Fajardini Reichow ?
JF Updated by Juliana Fajardini Reichow over 2 years ago
Hadiqa Alamdar Bukhari wrote in #note-7:
https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
- data ie payload keywords
- data length which is the tcp header length.
Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.
Trying to look for a somewhat similar keyword case - http_header -, when I look at the SV test for it (https://github.com/OISF/suricata-verify/tree/master/tests/rules/http-header), this makes me expect that the `tcphdr` engine-analysis output would do something similar. Thinking of the rule used as example in the documentation
alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S,12; tcp.hdr; content:"|02 04|"; offset:20; byte_test:2,<,536,0,big,relative; sid:1234; rev:5;)
I would expect the json object to show the content and offset, at least - since we already have a case for the `bytetest` keyword, so probably don't need to cover that bit.
Thinking a bit more, I think that the `content` part could probably use the DumpContent function https://github.com/OISF/suricata/blob/2fe2d82506f5697d45ce28642bd3bb3780f3b369/src/detect-engine-analyzer.c#L684, even.
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
- Status changed from In Progress to New
- Assignee changed from Hadiqa Alamdar Bukhari to Community Ticket
VJ Updated by Victor Julien almost 2 years ago
- Target version changed from 8.0.0-beta1 to TBD
OF Updated by Olusegun Fajobi 6 months ago
- Assignee changed from Community Ticket to Olusegun Fajobi
OF Updated by Olusegun Fajobi 6 months ago
- Assignee changed from Olusegun Fajobi to Community Ticket
JS Updated by Jhonny Sousa 5 months ago
- Assignee changed from Community Ticket to Jhonny Sousa
JS Updated by Jhonny Sousa 5 months ago ยท Edited
- Assignee changed from Jhonny Sousa to Community Ticket