Documentation #7770: json schema : extend to describe how a log field matches to a keyword in complex cases - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #7770

open

json schema : extend to describe how a log field matches to a keyword in complex cases

Added by Philippe Antoine about 9 hours ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

Examples from https://github.com/OISF/suricata/pull/13476

Log field krb5.ticket_weak_encryption goes with keyword krb5.ticket_encryption but we may want to precise that the keyword should used like krb5.ticket_encryption: weak;

Log field krb5.failed_request goes with keyword krb5_msg_type but we should precise that this means using a transactional signature (with both sides) and also use krb5_err_code: !0

Last example from https://github.com/OISF/suricata/pull/13477

log field app_proto_orig goes with keyword app-layer-protocol but only when used with app-layer-protocol:xyz,original

I am not sure we want this...

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Documentation #7770

json schema : extend to describe how a log field matches to a keyword in complex cases