Project

General

Profile

Actions

Documentation #7770

closed

json schema : extend to describe how a log field matches to a keyword in complex cases

Added by Philippe Antoine 23 days ago. Updated 1 day ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Examples from https://github.com/OISF/suricata/pull/13476

Log field krb5.ticket_weak_encryption goes with keyword krb5.ticket_encryption but we may want to precise that the keyword should used like krb5.ticket_encryption: weak;

Log field krb5.failed_request goes with keyword krb5_msg_type but we should precise that this means using a transactional signature (with both sides) and also use krb5_err_code: !0

Last example from https://github.com/OISF/suricata/pull/13477

log field app_proto_orig goes with keyword app-layer-protocol but only when used with app-layer-protocol:xyz,original

I am not sure we want this...

Actions #1

Updated by Philippe Antoine 1 day ago

  • Status changed from New to Rejected

I am not sure we want this ticket @Jason Ish

Actions #2

Updated by Jason Ish 1 day ago

Philippe Antoine wrote in #note-1:

I am not sure we want this ticket @Jason Ish

I'm just not clear on how it fits into the schema. Seems more like stuff for the user manual.

Actions

Also available in: Atom PDF