Documentation #7770
closedjson schema : extend to describe how a log field matches to a keyword in complex cases
Description
Examples from https://github.com/OISF/suricata/pull/13476
Log field krb5.ticket_weak_encryption
goes with keyword krb5.ticket_encryption
but we may want to precise that the keyword should used like krb5.ticket_encryption: weak;
Log field krb5.failed_request
goes with keyword krb5_msg_type
but we should precise that this means using a transactional signature (with both sides) and also use krb5_err_code: !0
Last example from https://github.com/OISF/suricata/pull/13477
log field app_proto_orig
goes with keyword app-layer-protocol
but only when used with app-layer-protocol:xyz,original
I am not sure we want this...
Updated by Philippe Antoine about 2 months ago
- Status changed from New to Rejected
I am not sure we want this ticket @Jason Ish
Updated by Jason Ish about 2 months ago
Philippe Antoine wrote in #note-1:
I am not sure we want this ticket @Jason Ish
I'm just not clear on how it fits into the schema. Seems more like stuff for the user manual.