Project

General

Profile

Actions
Copy link

Task #6597

open

rules keyword/output parity: improve

Added by Juliana Fajardini Reichow 5 months ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Assignee:
Hadiqa Alamdar Bukhari
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

For each application layer protocol, the overall process should be:

i. document the output of running
src/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords

Deliverables:
iv, vii, viii, ix

Subtasks 3 (2 open1 closed)

Feature #5642: DNS: parity between log fields and detectionNewOISF DevActions
Feature #6621: dns: add keyword for dns rcode: dns.rcodeResolvedHadiqa Alamdar BukhariActions
Feature #6666: dns: add keyword for dns rrtype: dns.rrtypeClosedHadiqa Alamdar BukhariActions

Related issues 2 (2 open0 closed)

Related to Suricata - Documentation #6478: schema: add missing fieldsNewCommunity TicketActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF