Story #6597
openTask #4772: tracking: parity between fields logged and fields available for detection
rules: improve rules keyword/output parity
Description
For each application layer protocol, the overall process should be:
i. document the output of runningsrc/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords
Deliverables:
iv, vii, viii, ix
Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Documentation #6478: schema: add missing fields added
Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Updated by Philippe Antoine over 1 year ago
My understanding is that the first step is to complete the json schema for DNS.
like tc boolean field is missing (just reviewing the code in rust/src/dns/log.rs and look for js.set_ calls
Updated by Hadiqa Alamdar Bukhari over 1 year ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow 10 months ago
- Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev
I'll assign this to OISF Dev, as this is the parent ticket. Thanks for the work you've done, Hadiqa! :)
Updated by Jason Ish 9 months ago
- Related to Feature #7095: rdp: keywords additions added
Updated by Lukas Sismis 9 months ago
- Related to Feature #7100: smb: additional keywords added
Updated by Victor Julien 9 months ago
- Subject changed from rules keyword/output parity: improve to tracking: impove rules keyword/output parity
- Status changed from In Progress to New
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 8.0.0-beta1 to 8.0.0
Updated by Victor Julien 9 months ago
- Blocked by Feature #5642: DNS: parity between log fields and detection added
Updated by Victor Julien 9 months ago
- Blocked by Feature #4153: app-layer: rust derive style macros to generate common code added
Updated by Victor Julien 9 months ago
- Tracker changed from Task to Story
- Subject changed from tracking: impove rules keyword/output parity to rules: impove rules keyword/output parity
Updated by Juliana Fajardini Reichow 7 months ago
- Related to Feature #6198: smtp: add keywords for use in rules added
Updated by Juliana Fajardini Reichow 6 months ago
- Subject changed from rules: impove rules keyword/output parity to rules: improve rules keyword/output parity
edit: fix type in issue subject
Updated by Philippe Antoine 6 months ago
- Related to Task #6476: ftp: parity of logging and detection buffers added
Updated by Victor Julien 6 months ago
- Related to deleted (Task #6476: ftp: parity of logging and detection buffers)
Updated by Victor Julien 6 months ago
- Blocked by Task #6476: ftp: parity of logging and detection buffers added
Updated by Victor Julien 6 months ago
- Blocked by Task #6473: detect: smtp keyword coverage added
Updated by Juliana Fajardini Reichow 6 months ago
- Blocked by Task #6463: eve/output: investigate how to track coverage / parity added
Updated by Philippe Antoine 4 months ago
- Blocked by Task #7452: ldap: add keywords to match output added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7586: mime: expose 'headers' as a keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7587: mime: add email.body_md5 keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7588: mime: add email.cc keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Task #7591: mime: add email.date keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7592: mime: add email.from keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7593: mime: add email.message_id keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Task #7594: mime: add email.status keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7595: mime: add email.subject keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7596: mime: add email.to keyword added
Updated by Juliana Fajardini Reichow 21 days ago
- Blocked by Feature #7600: mime: add rule keywords added