Task #6356
openTask #6308: detect/analyzer: add more keyword details
detect/analyzer: add more details for the tcp.hdr keyword
Added by Juliana Fajardini Reichow about 1 year ago. Updated 5 months ago.
Description
Add more details to the tcp.hdr keyword engine analysis output.
See what the tcp.hdr keyword has on https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
There are more general explanations in the parent task.
Updated by Juliana Fajardini Reichow about 1 year ago
- Copied from Task #6355: detect/analyzer: add more details for the tcp.mss keyword added
Updated by Juliana Fajardini Reichow about 1 year ago
- Copied to Task #6358: detect/analyzer: add more details for the ICMP itype keyword added
Updated by Hadiqa Alamdar Bukhari about 1 year ago
Hi, can this ticket please be assigned to me?
Updated by Juliana Fajardini Reichow about 1 year ago
Hadiqa Alamdar Bukhari wrote in #note-3:
Hi, can this ticket please be assigned to me?
Please feel free to assign it to yourself. Thanks for your interest :)
Updated by Hadiqa Alamdar Bukhari about 1 year ago
- Assignee changed from Community Ticket to Hadiqa Alamdar Bukhari
Updated by Hadiqa Alamdar Bukhari about 1 year ago
- Status changed from New to In Progress
Updated by Hadiqa Alamdar Bukhari about 1 year ago
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
- data ie payload keywords
- data length which is the tcp header length.
Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.
Updated by Shivani Bhardwaj about 1 year ago
Hadiqa Alamdar Bukhari wrote in #note-7:
https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
- data ie payload keywords
- data length which is the tcp header length.
Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.
Hi, Hadiqa!
Well done with the research! :) This keyword is indeed a sticky buffer and these seem to be already covered by mpm and pkt_engines sections. I don't think we need to repeat them. Thoughts, @Juliana Fajardini Reichow ?
Updated by Juliana Fajardini Reichow about 1 year ago
Hadiqa Alamdar Bukhari wrote in #note-7:
https://docs.suricata.io/en/suricata-6.0.1/rules/http-keywords.html
https://docs.suricata.io/en/latest/rules/header-keywords.html#tcp-hdr
I've been looking into the code and documentation of the tcphdr keyword, and I had some questions. After studying the links above, am I right to believe that the tcphdr is made of a sticky tcp buffer which has 2 parts:
- data ie payload keywords
- data length which is the tcp header length.
Should I therefore create a json object with data and data length fields inside it? Please let me know if I'm missing something and links to any further documentation.
Trying to look for a somewhat similar keyword case - http_header -, when I look at the SV test for it (https://github.com/OISF/suricata-verify/tree/master/tests/rules/http-header), this makes me expect that the `tcphdr` engine-analysis output would do something similar. Thinking of the rule used as example in the documentation
alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S,12; tcp.hdr; content:"|02 04|"; offset:20; byte_test:2,<,536,0,big,relative; sid:1234; rev:5;)
I would expect the json object to show the content and offset, at least - since we already have a case for the `bytetest` keyword, so probably don't need to cover that bit.
Thinking a bit more, I think that the `content` part could probably use the DumpContent function https://github.com/OISF/suricata/blob/2fe2d82506f5697d45ce28642bd3bb3780f3b369/src/detect-engine-analyzer.c#L684, even.
Updated by Hadiqa Alamdar Bukhari 12 months ago
- Status changed from In Progress to New
- Assignee changed from Hadiqa Alamdar Bukhari to Community Ticket
Updated by Victor Julien 5 months ago
- Target version changed from 8.0.0-beta1 to TBD