Project

General

Profile

Actions

Task #6443

open

Task #4763: tracking: Suricon brainstorms

Suricon 2023 brainstorm

Added by Victor Julien 11 months ago. Updated 11 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Related issues 55 (45 open10 closed)

Related to Suricata - Feature #1199: protocol: LDAP supportClosedGiuseppe LongoActions
Related to Suricata - Task #5682: tracking: smb performance issuesAssignedVictor JulienActions
Related to Suricata - Optimization #5679: tracking: useful log outputNewOISF DevActions
Related to Suricata - Feature #5665: rules: bidirectional transaction matchingIn ReviewPhilippe AntoineActions
Related to Suricata - Feature #5664: "Scope" bits should have an expirationAssignedShivani BhardwajActions
Related to Suricata - Feature #2772: Add MPLS labels to alert outputNewCommunity TicketActions
Related to Suricata - Feature #5675: protocol: MMS SCADA supportNewCommunity TicketActions
Related to Suricata - Feature #5642: DNS: parity between log fields and detectionAssignedJason IshActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Related to Suricata - Feature #5773: Support DNS over HTTPS (DoH)ClosedPhilippe AntoineActions
Related to Suricata - Task #4143: tracking: file.data improvementsAssignedJeff LucovskyActions
Related to Suricata - Feature #6206: Investigate a more intuitive use of the timestamp field in traffic/metadata eventsNewCommunity TicketActions
Related to Suricata - Documentation #6452: userguide/ftp: clarify usage around ftp and ftp.data keywordNewOISF DevActions
Related to Suricata - Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption toolsAssignedVictor JulienActions
Related to Suricata - Task #2167: tracking: eve enhancementsNewOISF DevActions
Related to Suricata - Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the ruleClosedJason IshActions
Related to Suricata - Feature #6453: Support DNS over TLSNewOISF DevActions
Related to Suricata - Feature #4853: eve: Add information about Suricata versionNewOISF DevActions
Related to Suricata - Feature #6296: smtp: BDAT chunking support incl MIME parsingAssignedVictor JulienActions
Related to Suricata - Task #4380: tracking: improvements to bits, ints, varsAssignedVictor JulienActions
Related to Suricata - Feature #6456: output: binary loggingNewOISF DevActions
Related to Suricata - Feature #6457: eve: configurable list of fields in outputNewOISF DevActions
Related to Suricata - Documentation #6071: eve/schema: add descriptions to the schemaAssignedJason IshActions
Related to Suricata - Task #3299: tracking: Add support for industrial protocolNewCommunity TicketActions
Related to Suricata - Feature #6464: protocol: profibusNewCommunity TicketActions
Related to Suricata - Task #6463: eve/output: investigate how to track coverage / parityNewOISF DevActions
Related to Suricata - Feature #5838: dpdk: NIC encapsulation strippingAssignedLukas SismisActions
Related to Suricata - Feature #6465: multi-tenant: support vxlan as a selectorNewOISF DevActions
Related to Suricata - Feature #6466: multi-tenant: support mpls as a selectorNewOISF DevActions
Related to Suricata - Feature #6467: flow tracking: add other parameters to flow trackingNewOISF DevActions
Related to Suricata - Feature #6472: HTTP/3 supportNewOISF DevActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Task #6476: ftp: parity of logging and detection buffersNewOISF DevActions
Related to Suricata - Feature #6198: Feature Request: Add "SMTP" keywords for use in rulesNewOISF DevActions
Related to Suricata - Feature #4876: Additional FTP BuffersNewOISF DevActions
Related to Suricata - Feature #3260: SMTP Base64 Decoding of Message BodyNewOISF DevActions
Related to Suricata - Feature #3261: SMTP quoted-printable Decoding of Message BodyNewOISF DevActions
Related to Suricata - Documentation #6478: schema: add missing fieldsNewCommunity TicketActions
Related to Suricata - Feature #5489: research: multi version rules; or version dependent rulesClosedJason IshActions
Related to Suricata - Feature #6290: support case insensitive testing of HTTP header name existenceClosedPhilippe AntoineActions
Related to Suricata - Feature #5816: Exception policy stats countersResolvedJuliana Fajardini ReichowActions
Related to Suricata - Feature #6482: Deployment: detect if capture is good enoughNewOISF DevActions
Related to Suricata - Feature #5681: datasets: add more transform layers to match on domainsNewOISF DevActions
Related to Suricata - Task #5666: rules: help to visualize how a Suricata rule matches (different contents/offsets)In ProgressVictor JulienActions
Related to Suricata - Feature #5206: Buffer Dump UtilityNewOISF DevActions
Related to Suricata - Feature #2695: websocket supportClosedPhilippe AntoineActions
Related to Suricata - Feature #4776: lua: vendor latest lua stableIn ProgressJason IshActions
Related to Suricata - Feature #4775: lua: overhaul lua supportIn ProgressJason IshActions
Related to Suricata - Feature #4777: lua: implement sandboxingClosedJason IshActions
Related to Suricata - Documentation #6484: userguide: add keyword performance resultsNewOISF DevActions
Related to Suricata - Task #6485: [investigate] Scoring method for keywords and transformsNewOISF DevActions
Related to Suricata - Bug #6394: Sudden increase in capture.kernel_drops and tcp.pkt_on_wrong_thread after upgrading to 6.0.14ClosedPhilippe AntoineActions
Related to Suricata - Documentation #6486: userguide: explain pkt_on_wrong_thread counterNewOISF DevActions
Related to Suricata - Bug #5220: fast_pattern specification in base64_data shouldn't be allowedClosedShivani BhardwajActions
Related to Suricata - Feature #6487: transform: from_base64ClosedJeff LucovskyActions
Actions #1

Updated by Philippe Antoine 11 months ago

Actions #2

Updated by Philippe Antoine 11 months ago

  • Related to Task #5682: tracking: smb performance issues added
Actions #3

Updated by Philippe Antoine 11 months ago

Actions #5

Updated by Philippe Antoine 11 months ago

  • Related to Feature #5665: rules: bidirectional transaction matching added
Actions #6

Updated by Philippe Antoine 11 months ago

  • Related to Feature #5664: "Scope" bits should have an expiration added
Actions #7

Updated by Philippe Antoine 11 months ago

  • Related to Feature #2772: Add MPLS labels to alert output added
Actions #8

Updated by Philippe Antoine 11 months ago

Actions #9

Updated by Philippe Antoine 11 months ago

  • Related to Feature #5642: DNS: parity between log fields and detection added
Actions #10

Updated by Philippe Antoine 11 months ago

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Actions #11

Updated by Philippe Antoine 11 months ago

HTTP/3 : no feedback from decryptors

More SMTP and FTP keywords and detection
- smtp.subject

Actions #12

Updated by Philippe Antoine 11 months ago

Philippe Antoine wrote in #note-11:

HTTP/3 : no feedback from decryptors

More SMTP and FTP keywords and detection
- smtp.subject

Frames support can be an alternative to a new keyword

Actions #13

Updated by Philippe Antoine 11 months ago

file.data does not work for SMTP body, SMTP body should be treated as a file

Actions #14

Updated by Philippe Antoine 11 months ago

Actions #15

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Task #4143: tracking: file.data improvements added
Actions #16

Updated by Philippe Antoine 11 months ago

FTP file.name has a perf impact ?

Actions #17

Updated by Philippe Antoine 11 months ago

Clarify the doc between ftp and ftp-data abilities

Actions #18

Updated by Juliana Fajardini Reichow 11 months ago

  • Subtask #6452 added
Actions #19

Updated by Philippe Antoine 11 months ago

  • Related to Feature #6206: Investigate a more intuitive use of the timestamp field in traffic/metadata events added
Actions #20

Updated by Juliana Fajardini Reichow 11 months ago

  • Subtask deleted (#6452)
Actions #21

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Documentation #6452: userguide/ftp: clarify usage around ftp and ftp.data keyword added
Actions #22

Updated by Philippe Antoine 11 months ago

  • Related to Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption tools added
Actions #23

Updated by Philippe Antoine 11 months ago

Domain name can be in DNS names, HTTP host or TLS sni based on the networks that do not have all these traffics

Actions #24

Updated by Philippe Antoine 11 months ago

Add client certificates information in output

Already done in suricata 7

Actions #25

Updated by Philippe Antoine 11 months ago

  • Related to Task #2167: tracking: eve enhancements added
Actions #26

Updated by Philippe Antoine 11 months ago

fileinfo event could hav the name of the file being stored on disk

Actions #27

Updated by Philippe Antoine 11 months ago

Have a version field for each event ?

Actions #28

Updated by Philippe Antoine 11 months ago

  • Related to Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the rule added
Actions #29

Updated by Victor Julien 11 months ago

Actions #30

Updated by Victor Julien 11 months ago

  • Related to Feature #4853: eve: Add information about Suricata version added
Actions #31

Updated by Jason Ish 11 months ago

  • Related to Feature #6296: smtp: BDAT chunking support incl MIME parsing added
Actions #32

Updated by Jason Ish 11 months ago

  • Related to Task #4380: tracking: improvements to bits, ints, vars added
Actions #33

Updated by Philippe Antoine 11 months ago

Actions #34

Updated by Philippe Antoine 11 months ago

  • Related to Feature #6457: eve: configurable list of fields in output added
Actions #35

Updated by Victor Julien 11 months ago

Actions #36

Updated by Jason Ish 11 months ago

  • Related to Task #3299: tracking: Add support for industrial protocol added
Actions #37

Updated by Jason Ish 11 months ago

Actions #38

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Task #6463: eve/output: investigate how to track coverage / parity added
Actions #39

Updated by Philippe Antoine 11 months ago

  • Related to Feature #5838: dpdk: NIC encapsulation stripping added
Actions #40

Updated by Jason Ish 11 months ago

  • Related to Feature #6465: multi-tenant: support vxlan as a selector added
Actions #41

Updated by Jason Ish 11 months ago

  • Related to Feature #6466: multi-tenant: support mpls as a selector added
Actions #42

Updated by Jason Ish 11 months ago

  • Related to Feature #6467: flow tracking: add other parameters to flow tracking added
Actions #43

Updated by Philippe Antoine 11 months ago

Actions #44

Updated by Victor Julien 11 months ago

  • Related to Task #6473: detect: smtp keyword coverage added
Actions #45

Updated by Jason Ish 11 months ago

  • Related to Task #6476: ftp: parity of logging and detection buffers added
Actions #46

Updated by Victor Julien 11 months ago

  • Related to Feature #6198: Feature Request: Add "SMTP" keywords for use in rules added
Actions #47

Updated by Jason Ish 11 months ago

Actions #48

Updated by Philippe Antoine 11 months ago

  • Related to Feature #3260: SMTP Base64 Decoding of Message Body added
Actions #49

Updated by Philippe Antoine 11 months ago

  • Related to Feature #3261: SMTP quoted-printable Decoding of Message Body added
Actions #50

Updated by Philippe Antoine 11 months ago

Actions #51

Updated by Victor Julien 11 months ago

  • Related to Feature #5489: research: multi version rules; or version dependent rules added
Actions #52

Updated by Philippe Antoine 11 months ago

  • Related to Feature #6290: support case insensitive testing of HTTP header name existence added
Actions #53

Updated by Philippe Antoine 11 months ago

detecting bad capture

unidirectional, encapsulation, duplicate packets...

Actions #54

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Feature #5816: Exception policy stats counters added
Actions #55

Updated by Philippe Antoine 11 months ago

  • Related to Feature #6482: Deployment: detect if capture is good enough added
Actions #56

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Feature #5681: datasets: add more transform layers to match on domains added
Actions #57

Updated by Philippe Antoine 11 months ago

it would great to find a way to reduce impact of inspection on throughput performance. i.e. let’s say throughput is 5 gig on a box but once Suricata is enabled it drops to a bit over 1 gig.

Actions #58

Updated by Philippe Antoine 11 months ago

doc/release: include a delta of changes to suricata.yaml

@Jason Ish just said he will create a ticket for this

Actions #59

Updated by Philippe Antoine 11 months ago

performance: Where do the packets get dropped ?

Actions #60

Updated by Philippe Antoine 11 months ago

  • Related to Task #5666: rules: help to visualize how a Suricata rule matches (different contents/offsets) added
Actions #61

Updated by Victor Julien 11 months ago

Actions #62

Updated by Philippe Antoine 11 months ago

Discussion about LUA vendoring...

Actions #63

Updated by Philippe Antoine 11 months ago

Being able to ship JA4+ as a plugin

Actions #64

Updated by Philippe Antoine 11 months ago

Actions #65

Updated by Philippe Antoine 11 months ago

Actions #66

Updated by Jason Ish 11 months ago

Actions #67

Updated by Jason Ish 11 months ago

Actions #68

Updated by Juliana Fajardini Reichow 11 months ago

Actions #69

Updated by Juliana Fajardini Reichow 11 months ago

  • Related to Task #6485: [investigate] Scoring method for keywords and transforms added
Actions #70

Updated by Philippe Antoine 11 months ago

  • Related to Bug #6394: Sudden increase in capture.kernel_drops and tcp.pkt_on_wrong_thread after upgrading to 6.0.14 added
Actions #71

Updated by Juliana Fajardini Reichow 11 months ago

Actions #72

Updated by Philippe Antoine 11 months ago

  • Related to Bug #5220: fast_pattern specification in base64_data shouldn't be allowed added
Actions #73

Updated by Jason Ish 11 months ago

Actions

Also available in: Atom PDF