Optimization #7304: detect: improve support for multi-protocol keywords - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #7304

closed

PA PA

detect: improve support for multi-protocol keywords

Optimization #7304: detect: improve support for multi-protocol keywords

Added by Philippe Antoine over 1 year ago. Updated about 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Have a rule like
alert ip any any -> any any (sid: 1; file.data; content: "toto"; ja3.hash; content: "abcdef0123456789abcdef0123456789";)
failing to load

Currently, multi protocol keywords are :
- DCERPC/SMB stuff
- JA3/JA4 for quic/tls
- file keywords
- HTTP/1 HTTP/2 somehow
DoH2 does not have this...

Related issues 1 (0 open — 1 closed)

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#1

Status changed from New to In Review
Target version changed from TBD to 8.0.0-beta1

https://github.com/OISF/suricata/pull/12149

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#2

Related to Task #5053: app-layer: dynamic alproto IDs added

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#3

I think DCERPC over SMB and DNS over HTTP are the same logically, even if not in Suricata code...

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
#4

Status changed from In Review to Closed

https://github.com/OISF/suricata/pull/12623

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
#5

Subject changed from Better support multi-protocol keywords to detect: improve support for multi-protocol keywords

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries