Project

General

Profile

Actions

Story #6597

open

Task #4772: tracking: parity between fields logged and fields available for detection

rules: improve rules keyword/output parity

Added by Juliana Fajardini Reichow 12 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:

Description

For each application layer protocol, the overall process should be:

i. document the output of running
src/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords

Deliverables:
iv, vii, viii, ix


Related issues 9 (9 open0 closed)

Related to Suricata - Documentation #6478: schema: add missing fieldsNewCommunity TicketActions
Related to Suricata - Feature #7095: rdp: keywords additionsNewOISF DevActions
Related to Suricata - Feature #7100: smb: additional keywordsNewOISF DevActions
Related to Suricata - Feature #6198: Feature Request: Add "SMTP" keywords for use in rulesNewOISF DevActions
Blocked by Suricata - Feature #5642: DNS: parity between log fields and detectionAssignedJason IshActions
Blocked by Suricata - Feature #4153: app-layer: rust derive style macros to generate common codeAssignedJason IshActions
Blocked by Suricata - Task #6476: ftp: parity of logging and detection buffersNewOISF DevActions
Blocked by Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Blocked by Suricata - Task #6463: eve/output: investigate how to track coverage / parityNewOISF DevActions
Actions

Also available in: Atom PDF