Task #6597
openrules keyword/output parity: improve
Description
For each application layer protocol, the overall process should be:
i. document the output of runningsrc/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords
Deliverables:
iv, vii, viii, ix
Updated by Juliana Fajardini Reichow 5 months ago
- Related to Documentation #6478: schema: add missing fields added
Updated by Juliana Fajardini Reichow 5 months ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Updated by Philippe Antoine 5 months ago
My understanding is that the first step is to complete the json schema for DNS.
like tc boolean field is missing (just reviewing the code in rust/src/dns/log.rs and look for js.set_ calls
Updated by Hadiqa Alamdar Bukhari 4 months ago
- Status changed from New to In Progress