Story #6597
openTask #4772: tracking: parity between fields logged and fields available for detection
rules: impove rules keyword/output parity
Description
For each application layer protocol, the overall process should be:
i. document the output of runningsrc/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords
Deliverables:
iv, vii, viii, ix
Updated by Juliana Fajardini Reichow 8 months ago
- Related to Documentation #6478: schema: add missing fields added
Updated by Juliana Fajardini Reichow 8 months ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Updated by Philippe Antoine 8 months ago
My understanding is that the first step is to complete the json schema for DNS.
like tc boolean field is missing (just reviewing the code in rust/src/dns/log.rs and look for js.set_ calls
Updated by Hadiqa Alamdar Bukhari 7 months ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow about 2 months ago
- Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev
I'll assign this to OISF Dev, as this is the parent ticket. Thanks for the work you've done, Hadiqa! :)
Updated by Jason Ish about 1 month ago
- Related to Feature #7095: rdp: keywords additions added
Updated by Lukas Sismis about 1 month ago
- Related to Feature #7100: smb: additional keywords added
Updated by Victor Julien about 1 month ago
- Subject changed from rules keyword/output parity: improve to tracking: impove rules keyword/output parity
- Status changed from In Progress to New
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 8.0.0-beta1 to 8.0.0
Updated by Victor Julien about 1 month ago
- Blocked by Feature #5642: DNS: parity between log fields and detection added
Updated by Victor Julien about 1 month ago
- Blocked by Feature #4153: app-layer: rust derive style macros to generate common code added
Updated by Victor Julien 21 days ago
- Tracker changed from Task to Story
- Subject changed from tracking: impove rules keyword/output parity to rules: impove rules keyword/output parity