Documentation #7806: Keywords missing documentation - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #7806

open

Keywords missing documentation

Added by Eric Leblond 2 days ago. Updated 2 days ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

8.0.0, git master

Effort:

Difficulty:

Label:

Beginner

Description

It looks like there is a set of keywords where the description of keywords and the url to documentation is not set at registration. For most of them, there is in fact no documentation available. For the url and desc this is a problem for Suricata Language Server or simply to list-keywords options because the user has no help about the keyword in offline mode.

Here is the list of keyword where url is not set (after update in upcoming MR):

{
  "name": "flowvar",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "hostbits",
  "description": "operate on host flag",
  "app layer": "Unset",
  "features": "compatible with IP only rule",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "pktvar",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "asn1",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "ipv4-csum",
  "description": "match on IPv4 checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "tcpv4-csum",
  "description": "match on IPv4/TCP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "tcpv6-csum",
  "description": "match on IPv6/TCP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "udpv4-csum",
  "description": "match on IPv4/UDP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "udpv6-csum",
  "description": "match on IPv6/UDP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "icmpv4-csum",
  "description": "match on IPv4/ICMP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "icmpv6-csum",
  "description": "match on IPv6/ICMPv6 checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "nfq_set_mark",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "frame",
  "description": "sticky buffer for inspecting app-layer frames",
  "app layer": "Unset",
  "features": "sticky buffer",
  "documentation": "",
  "initial_version": "7.0.0",
  "last_version": "8.0.1" 
}
{
  "name": "ssh.protoversion",
  "description": "obsolete keyword, use now ssh.proto",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "ssh.softwareversion",
  "description": "obsolete keyword, use now ssh.software",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "pkt_data",
  "description": "",
  "app layer": "Unset",
  "features": "No option",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "engine-event",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "stream-event",
  "description": "match on events triggered by anomalies during TCP streaming",
  "app layer": "Unset",
  "features": "prefilter",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "l3_proto",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}

(version 8.0.1 can be ignored)

Actions

Copy link

Updated by Eric Leblond 2 days ago

The Pull Request https://github.com/OISF/suricata/pull/13579 fixes the problem for the set of keywords where I've managed to find documentation in the user guide. The remaining keywords are the ones in the description of the issue.

Actions

Copy link

Updated by Shivani Bhardwaj 2 days ago

I agree this should be fixed.

Related but not sure if helpful: we're working on adding "description" to logged fields and their corresponding rule "keywords" to schema. For fetching just a description, that may serve well at some point in offline mode. This is so far even more incomplete than the keyword registration though. An example: https://github.com/OISF/suricata/blob/master/etc/schema.json#L2490

Actions

Copy link

Updated by Jason Ish 2 days ago

Affected Versions 8.0.0 added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries