Actions
Story #6597
closed
JF
VJ
Task #4772: tracking: parity between fields logged and fields available for detection
rules: improve rules keyword/output parity
Story #6597:
rules: improve rules keyword/output parity
Description
For each application layer protocol, the overall process should be:
i. document the output of runningsrc/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords
Deliverables:
iv, vii, viii, ix
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Related to Documentation #6478: schema: add missing fields added
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Subtask #5642 added
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Description updated (diff)
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
PA Updated by Philippe Antoine over 2 years ago
My understanding is that the first step is to complete the json schema for DNS.
like tc boolean field is missing (just reviewing the code in rust/src/dns/log.rs and look for js.set_ calls
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
- Status changed from New to In Progress
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev
I'll assign this to OISF Dev, as this is the parent ticket. Thanks for the work you've done, Hadiqa! :)
JI Updated by Jason Ish almost 2 years ago
- Related to Feature #7095: rdp: keywords additions added
LS Updated by Lukas Sismis almost 2 years ago
- Related to Feature #7100: smb: additional keywords added
VJ Updated by Victor Julien almost 2 years ago
- Subject changed from rules keyword/output parity: improve to tracking: impove rules keyword/output parity
- Status changed from In Progress to New
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 8.0.0-beta1 to 8.0.0
VJ Updated by Victor Julien almost 2 years ago
- Parent task set to #4772
VJ Updated by Victor Julien almost 2 years ago
- Subtask deleted (
#5642)
VJ Updated by Victor Julien almost 2 years ago
- Blocked by Feature #5642: DNS: parity between log fields and detection added
VJ Updated by Victor Julien almost 2 years ago
- Blocked by Feature #4153: app-layer: rust derive style macros to generate common code added
VJ Updated by Victor Julien almost 2 years ago
- Tracker changed from Task to Story
- Subject changed from tracking: impove rules keyword/output parity to rules: impove rules keyword/output parity
JF Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Feature #6198: smtp: add keywords for use in rules added
JF Updated by Juliana Fajardini Reichow over 1 year ago
- Subject changed from rules: impove rules keyword/output parity to rules: improve rules keyword/output parity
edit: fix type in issue subject
PA Updated by Philippe Antoine over 1 year ago
- Related to Task #6476: ftp: parity of logging and detection buffers added
VJ Updated by Victor Julien over 1 year ago
- Related to deleted (Task #6476: ftp: parity of logging and detection buffers)
VJ Updated by Victor Julien over 1 year ago
- Blocked by Task #6476: ftp: parity of logging and detection buffers added
VJ Updated by Victor Julien over 1 year ago
- Blocked by Task #6473: detect: smtp keyword coverage added
JF Updated by Juliana Fajardini Reichow over 1 year ago
- Blocked by Task #6463: eve/output: investigate how to track coverage / parity added
PA Updated by Philippe Antoine over 1 year ago
- Blocked by Task #7452: ldap: add keywords to match output added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7586: mime: expose 'headers' as a keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7587: mime: add email.body_md5 keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7588: mime: add email.cc keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Task #7591: mime: add email.date keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7592: mime: add email.from keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7593: mime: add email.message_id keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7594: mime: add email.status keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7595: mime: add email.subject keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7596: mime: add email.to keyword added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Blocked by Feature #7600: mime: add rule keywords added
JI Updated by Jason Ish 12 months ago
- Blocked by deleted (Feature #4153: app-layer: rust derive style macros to generate common code)
VJ Updated by Victor Julien 7 months ago
- Status changed from New to Resolved
VJ Updated by Victor Julien 7 months ago
- Related to Story #7901: 9.0.0: rules: improve rules keyword/output parity added
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Feature #7600: mime: add rule keywords)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Feature #7594: mime: add email.status keyword)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Feature #7587: mime: add email.body_md5 keyword)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Feature #7586: mime: expose 'headers' as a keyword)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Task #7452: ldap: add keywords to match output)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Task #6473: detect: smtp keyword coverage)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Task #6476: ftp: parity of logging and detection buffers)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Feature #5642: DNS: parity between log fields and detection)
VJ Updated by Victor Julien 7 months ago
- Blocked by deleted (Task #6463: eve/output: investigate how to track coverage / parity)
VJ Updated by Victor Julien 7 months ago
- Status changed from Resolved to Closed
Actions