Optimization #7304: Better support multi-protocol keywords - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #7304

open

Better support multi-protocol keywords

Added by Philippe Antoine 3 months ago. Updated 2 days ago.

Status:

In Review

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Have a rule like
alert ip any any -> any any (sid: 1; file.data; content: "toto"; ja3.hash; content: "abcdef0123456789abcdef0123456789";)
failing to load

Currently, multi protocol keywords are :
- DCERPC/SMB stuff
- JA3/JA4 for quic/tls
- file keywords
- HTTP/1 HTTP/2 somehow
DoH2 does not have this...

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Updated by Philippe Antoine 27 days ago

Status changed from New to In Review
Target version changed from TBD to 8.0.0-beta1

https://github.com/OISF/suricata/pull/12149

Actions

Copy link

Updated by Philippe Antoine 27 days ago

Related to Task #5053: app-layer: dynamic alproto IDs added

Actions

Copy link

Updated by Philippe Antoine 2 days ago

I think DCERPC over SMB and DNS over HTTP are the same logically, even if not in Suricata code...

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries