Project

General

Profile

Actions

Documentation #7806

open

Keywords missing documentation

Added by Eric Leblond 2 days ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Beginner

Description

It looks like there is a set of keywords where the description of keywords and the url to documentation is not set at registration. For most of them, there is in fact no documentation available. For the url and desc this is a problem for Suricata Language Server or simply to list-keywords options because the user has no help about the keyword in offline mode.

Here is the list of keyword where url is not set (after update in upcoming MR):

{
  "name": "flowvar",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "hostbits",
  "description": "operate on host flag",
  "app layer": "Unset",
  "features": "compatible with IP only rule",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "pktvar",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "asn1",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "ipv4-csum",
  "description": "match on IPv4 checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "tcpv4-csum",
  "description": "match on IPv4/TCP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "tcpv6-csum",
  "description": "match on IPv6/TCP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "udpv4-csum",
  "description": "match on IPv4/UDP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "udpv6-csum",
  "description": "match on IPv6/UDP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "icmpv4-csum",
  "description": "match on IPv4/ICMP checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "icmpv6-csum",
  "description": "match on IPv6/ICMPv6 checksum",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "nfq_set_mark",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "frame",
  "description": "sticky buffer for inspecting app-layer frames",
  "app layer": "Unset",
  "features": "sticky buffer",
  "documentation": "",
  "initial_version": "7.0.0",
  "last_version": "8.0.1" 
}
{
  "name": "ssh.protoversion",
  "description": "obsolete keyword, use now ssh.proto",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "ssh.softwareversion",
  "description": "obsolete keyword, use now ssh.software",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "pkt_data",
  "description": "",
  "app layer": "Unset",
  "features": "No option",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "engine-event",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "stream-event",
  "description": "match on events triggered by anomalies during TCP streaming",
  "app layer": "Unset",
  "features": "prefilter",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}
{
  "name": "l3_proto",
  "description": "",
  "app layer": "Unset",
  "features": "none",
  "documentation": "",
  "initial_version": "4.1.5",
  "last_version": "8.0.1" 
}

(version 8.0.1 can be ignored)

Actions #1

Updated by Eric Leblond 2 days ago

The Pull Request https://github.com/OISF/suricata/pull/13579 fixes the problem for the set of keywords where I've managed to find documentation in the user guide. The remaining keywords are the ones in the description of the issue.

Actions #2

Updated by Shivani Bhardwaj 2 days ago

I agree this should be fixed.

Related but not sure if helpful: we're working on adding "description" to logged fields and their corresponding rule "keywords" to schema. For fetching just a description, that may serve well at some point in offline mode. This is so far even more incomplete than the keyword registration though. An example: https://github.com/OISF/suricata/blob/master/etc/schema.json#L2490

Actions #3

Updated by Jason Ish 2 days ago

  • Affected Versions 8.0.0 added
Actions

Also available in: Atom PDF