Project

General

Profile

Actions

Task #6443

open

Task #4763: tracking: Suricon brainstorms

Suricon 2023 brainstorm

Added by Victor Julien 8 months ago. Updated 8 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Related issues 55 (48 open7 closed)

Related to Suricata - Feature #1199: protocol: LDAP supportIn ReviewGiuseppe LongoActions
Related to Suricata - Task #5682: tracking: smb performance issuesAssignedVictor JulienActions
Related to Suricata - Optimization #5679: tracking: useful log outputNewOISF DevActions
Related to Suricata - Feature #5665: rules: bidirectional transaction matchingIn ReviewPhilippe AntoineActions
Related to Suricata - Feature #5664: "Scope" bits should have an expirationAssignedShivani BhardwajActions
Related to Suricata - Feature #2772: Add MPLS labels to alert outputAssignedCommunity TicketActions
Related to Suricata - Feature #5675: protocol: MMS SCADA supportNewCommunity TicketActions
Related to Suricata - Feature #5642: DNS: parity between log fields and detectionNewJason IshActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Related to Suricata - Feature #5773: Support DNS over HTTPS (DoH)In ReviewPhilippe AntoineActions
Related to Suricata - Task #4143: tracking: file.data improvementsAssignedJeff LucovskyActions
Related to Suricata - Feature #6206: Investigate a more intuitive use of the timestamp field in traffic/metadata eventsNewCommunity TicketActions
Related to Suricata - Documentation #6452: userguide/ftp: clarify usage around ftp and ftp.data keywordNewOISF DevActions
Related to Suricata - Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption toolsAssignedVictor JulienActions
Related to Suricata - Task #2167: tracking: eve enhancementsAssignedOISF DevActions
Related to Suricata - Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the ruleClosedJason IshActions
Related to Suricata - Feature #6453: Support DNS over TLSNewOISF DevActions
Related to Suricata - Feature #4853: eve: Add information about Suricata versionAssignedOISF DevActions
Related to Suricata - Feature #6296: smtp: BDAT chunking support incl MIME parsingAssignedVictor JulienActions
Related to Suricata - Task #4380: tracking: improvements to bits, ints, varsAssignedVictor JulienActions
Related to Suricata - Feature #6456: output: binary loggingNewOISF DevActions
Related to Suricata - Feature #6457: eve: configurable list of fields in outputNewOISF DevActions
Related to Suricata - Documentation #6071: eve/schema: add descriptions to the schemaAssignedJason IshActions
Related to Suricata - Task #3299: Tracking: Add support for industrial protocolNewCommunity TicketActions
Related to Suricata - Feature #6464: protocol: profibusNewCommunity TicketActions
Related to Suricata - Task #6463: eve/output: investigate how to track coverage / parityNewOISF DevActions
Related to Suricata - Feature #5838: dpdk: NIC encapsulation strippingAssignedLukas SismisActions
Related to Suricata - Feature #6465: multi-tenant: support vxlan as a selectorNewOISF DevActions
Related to Suricata - Feature #6466: multi-tenant: support mpls as a selectorNewOISF DevActions
Related to Suricata - Feature #6467: flow tracking: add other parameters to flow trackingNewOISF DevActions
Related to Suricata - Feature #6472: HTTP/3 supportNewOISF DevActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Task #6476: ftp: parity of logging and detection buffersNewOISF DevActions
Related to Suricata - Feature #6198: Feature Request: Add "SMTP" keywords for use in rulesNewOISF DevActions
Related to Suricata - Feature #4876: Additional FTP BuffersNewOISF DevActions
Related to Suricata - Feature #3260: SMTP Base64 Decoding of Message BodyNewOISF DevActions
Related to Suricata - Feature #3261: SMTP quoted-printable Decoding of Message BodyNewOISF DevActions
Related to Suricata - Documentation #6478: schema: add missing fieldsNewCommunity TicketActions
Related to Suricata - Feature #5489: research: multi version rules; or version dependent rulesClosedJason IshActions
Related to Suricata - Feature #6290: support case insensitive testing of HTTP header name existenceClosedPhilippe AntoineActions
Related to Suricata - Feature #5816: Exception policy stats countersResolvedJuliana Fajardini ReichowActions
Related to Suricata - Feature #6482: Deployment: detect if capture is good enoughNewOISF DevActions
Related to Suricata - Feature #5681: datasets: add more transform layers to match on domainsNewOISF DevActions
Related to Suricata - Task #5666: rules: help to visualize how a Suricata rule matches (different contents/offsets)In ProgressVictor JulienActions
Related to Suricata - Feature #5206: Buffer Dump UtilityNewOISF DevActions
Related to Suricata - Feature #2695: websocket supportClosedPhilippe AntoineActions
Related to Suricata - Feature #4776: lua: vendor latest lua stableAssignedJason IshActions
Related to Suricata - Feature #4775: lua: overhaul lua supportIn ProgressJason IshActions
Related to Suricata - Feature #4777: lua: implement sandboxingClosedJason IshActions
Related to Suricata - Documentation #6484: userguide: add keyword performance resultsNewOISF DevActions
Related to Suricata - Task #6485: [investigate] Scoring method for keywords and transformsNewOISF DevActions
Related to Suricata - Bug #6394: Sudden increase in capture.kernel_drops and tcp.pkt_on_wrong_thread after upgrading to 6.0.14ClosedPhilippe AntoineActions
Related to Suricata - Documentation #6486: userguide: explain pkt_on_wrong_thread counterNewOISF DevActions
Related to Suricata - Bug #5220: fast_pattern specification in base64_data shouldn't be allowedClosedShivani BhardwajActions
Related to Suricata - Feature #6487: transform: from_base64In ReviewJeff LucovskyActions
Actions #1

Updated by Philippe Antoine 8 months ago

Actions #2

Updated by Philippe Antoine 8 months ago

  • Related to Task #5682: tracking: smb performance issues added
Actions #3

Updated by Philippe Antoine 8 months ago

Actions #5

Updated by Philippe Antoine 8 months ago

  • Related to Feature #5665: rules: bidirectional transaction matching added
Actions #6

Updated by Philippe Antoine 8 months ago

  • Related to Feature #5664: "Scope" bits should have an expiration added
Actions #7

Updated by Philippe Antoine 8 months ago

  • Related to Feature #2772: Add MPLS labels to alert output added
Actions #8

Updated by Philippe Antoine 8 months ago

Actions #9

Updated by Philippe Antoine 8 months ago

  • Related to Feature #5642: DNS: parity between log fields and detection added
Actions #10

Updated by Philippe Antoine 8 months ago

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Actions #11

Updated by Philippe Antoine 8 months ago

HTTP/3 : no feedback from decryptors

More SMTP and FTP keywords and detection
- smtp.subject

Actions #12

Updated by Philippe Antoine 8 months ago

Philippe Antoine wrote in #note-11:

HTTP/3 : no feedback from decryptors

More SMTP and FTP keywords and detection
- smtp.subject

Frames support can be an alternative to a new keyword

Actions #13

Updated by Philippe Antoine 8 months ago

file.data does not work for SMTP body, SMTP body should be treated as a file

Actions #14

Updated by Philippe Antoine 8 months ago

Actions #15

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Task #4143: tracking: file.data improvements added
Actions #16

Updated by Philippe Antoine 8 months ago

FTP file.name has a perf impact ?

Actions #17

Updated by Philippe Antoine 8 months ago

Clarify the doc between ftp and ftp-data abilities

Actions #18

Updated by Juliana Fajardini Reichow 8 months ago

  • Subtask #6452 added
Actions #19

Updated by Philippe Antoine 8 months ago

  • Related to Feature #6206: Investigate a more intuitive use of the timestamp field in traffic/metadata events added
Actions #20

Updated by Juliana Fajardini Reichow 8 months ago

  • Subtask deleted (#6452)
Actions #21

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Documentation #6452: userguide/ftp: clarify usage around ftp and ftp.data keyword added
Actions #22

Updated by Philippe Antoine 8 months ago

  • Related to Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption tools added
Actions #23

Updated by Philippe Antoine 8 months ago

Domain name can be in DNS names, HTTP host or TLS sni based on the networks that do not have all these traffics

Actions #24

Updated by Philippe Antoine 8 months ago

Add client certificates information in output

Already done in suricata 7

Actions #25

Updated by Philippe Antoine 8 months ago

  • Related to Task #2167: tracking: eve enhancements added
Actions #26

Updated by Philippe Antoine 8 months ago

fileinfo event could hav the name of the file being stored on disk

Actions #27

Updated by Philippe Antoine 8 months ago

Have a version field for each event ?

Actions #28

Updated by Philippe Antoine 8 months ago

  • Related to Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the rule added
Actions #29

Updated by Victor Julien 8 months ago

Actions #30

Updated by Victor Julien 8 months ago

  • Related to Feature #4853: eve: Add information about Suricata version added
Actions #31

Updated by Jason Ish 8 months ago

  • Related to Feature #6296: smtp: BDAT chunking support incl MIME parsing added
Actions #32

Updated by Jason Ish 8 months ago

  • Related to Task #4380: tracking: improvements to bits, ints, vars added
Actions #33

Updated by Philippe Antoine 8 months ago

Actions #34

Updated by Philippe Antoine 8 months ago

  • Related to Feature #6457: eve: configurable list of fields in output added
Actions #35

Updated by Victor Julien 8 months ago

Actions #36

Updated by Jason Ish 8 months ago

  • Related to Task #3299: Tracking: Add support for industrial protocol added
Actions #37

Updated by Jason Ish 8 months ago

Actions #38

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Task #6463: eve/output: investigate how to track coverage / parity added
Actions #39

Updated by Philippe Antoine 8 months ago

  • Related to Feature #5838: dpdk: NIC encapsulation stripping added
Actions #40

Updated by Jason Ish 8 months ago

  • Related to Feature #6465: multi-tenant: support vxlan as a selector added
Actions #41

Updated by Jason Ish 8 months ago

  • Related to Feature #6466: multi-tenant: support mpls as a selector added
Actions #42

Updated by Jason Ish 8 months ago

  • Related to Feature #6467: flow tracking: add other parameters to flow tracking added
Actions #43

Updated by Philippe Antoine 8 months ago

Actions #44

Updated by Victor Julien 8 months ago

  • Related to Task #6473: detect: smtp keyword coverage added
Actions #45

Updated by Jason Ish 8 months ago

  • Related to Task #6476: ftp: parity of logging and detection buffers added
Actions #46

Updated by Victor Julien 8 months ago

  • Related to Feature #6198: Feature Request: Add "SMTP" keywords for use in rules added
Actions #47

Updated by Jason Ish 8 months ago

Actions #48

Updated by Philippe Antoine 8 months ago

  • Related to Feature #3260: SMTP Base64 Decoding of Message Body added
Actions #49

Updated by Philippe Antoine 8 months ago

  • Related to Feature #3261: SMTP quoted-printable Decoding of Message Body added
Actions #50

Updated by Philippe Antoine 8 months ago

Actions #51

Updated by Victor Julien 8 months ago

  • Related to Feature #5489: research: multi version rules; or version dependent rules added
Actions #52

Updated by Philippe Antoine 8 months ago

  • Related to Feature #6290: support case insensitive testing of HTTP header name existence added
Actions #53

Updated by Philippe Antoine 8 months ago

detecting bad capture

unidirectional, encapsulation, duplicate packets...

Actions #54

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Feature #5816: Exception policy stats counters added
Actions #55

Updated by Philippe Antoine 8 months ago

  • Related to Feature #6482: Deployment: detect if capture is good enough added
Actions #56

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Feature #5681: datasets: add more transform layers to match on domains added
Actions #57

Updated by Philippe Antoine 8 months ago

it would great to find a way to reduce impact of inspection on throughput performance. i.e. let’s say throughput is 5 gig on a box but once Suricata is enabled it drops to a bit over 1 gig.

Actions #58

Updated by Philippe Antoine 8 months ago

doc/release: include a delta of changes to suricata.yaml

@Jason Ish just said he will create a ticket for this

Actions #59

Updated by Philippe Antoine 8 months ago

performance: Where do the packets get dropped ?

Actions #60

Updated by Philippe Antoine 8 months ago

  • Related to Task #5666: rules: help to visualize how a Suricata rule matches (different contents/offsets) added
Actions #61

Updated by Victor Julien 8 months ago

Actions #62

Updated by Philippe Antoine 8 months ago

Discussion about LUA vendoring...

Actions #63

Updated by Philippe Antoine 8 months ago

Being able to ship JA4+ as a plugin

Actions #64

Updated by Philippe Antoine 8 months ago

Actions #65

Updated by Philippe Antoine 8 months ago

Actions #66

Updated by Jason Ish 8 months ago

Actions #67

Updated by Jason Ish 8 months ago

Actions #68

Updated by Juliana Fajardini Reichow 8 months ago

Actions #69

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Task #6485: [investigate] Scoring method for keywords and transforms added
Actions #70

Updated by Philippe Antoine 8 months ago

  • Related to Bug #6394: Sudden increase in capture.kernel_drops and tcp.pkt_on_wrong_thread after upgrading to 6.0.14 added
Actions #71

Updated by Juliana Fajardini Reichow 8 months ago

Actions #72

Updated by Philippe Antoine 8 months ago

  • Related to Bug #5220: fast_pattern specification in base64_data shouldn't be allowed added
Actions #73

Updated by Jason Ish 8 months ago

Actions

Also available in: Atom PDF