Project

General

Profile

Actions
Copy link

Feature #7485

open

rules: allow specifying explicit hooks

Added by Victor Julien 5 days ago. Updated 3 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

Currently specifying where a rule is hooked into the detection engine is not very easy to understand or control. The idea is to give the rule writer full control over this.

The 2nd field in the rule is the protocol. In some cases, a bit of a hook like control is provided here. Esp the "tcp-pkt" and "tcp-stream" provide this type of control.

In application layer protocols, there should be a minimum set of hooks, plus protocol specific sets.

  • dns:request_complete -- tx is complete in the request direction
  • dns:response_complete -- tx is complete is the response direction
  • http:request_complete
  • http:response_complete

Related issues 2 (2 open0 closed)

Related to Suricata - Optimization #4753: lua: fix inconsistency in the init "needs" keyNewJason IshActions
Related to Suricata - Story #7164: usecase: improve firewall usecaseNewVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 5 days ago

Actions
Copy link
 #2

Updated by Victor Julien 5 days ago

  • Related to Story #7164: usecase: improve firewall usecase added
Actions
Copy link
 #3

Updated by Victor Julien 3 days ago

  • Status changed from New to In Progress
  • Target version changed from TBD to 8.0.0-beta1

Got a working minimal prototype going.

Actions
Copy link

Also available in: Atom PDF