Project

General

Profile

Feature #2283

Updated by Victor Julien about 5 years ago

Turn all content modifiers into sticky buffers with a '<proto>.<buffer>[.<modifier>]' notation. 
 Support this dot-notation Suggest naming for all existing sticky buffers. 

 In both cases the existing rule keywords need to keep working for backwards compatibility. New keywords only need to support the new notation. 

 Some examples: ones. 
 <pre> 
 content:"abc"; http_uri; -> http.uri; content:"abc"; 
 content:"abc"; http_raw_uri; -> http.uri.raw; content:"abc"; 
 content:"abc"; http_client_body; -> http.request_body; content:"abc"; 
 dns_query; content:"abc"; -> dns.query; content:"abc"; 
 </pre> 

 Internally, these keywords need to be registered through the 'v2 API', so that they support transforms. 

 Examples can be found in https://github.com/OISF/suricata/pull/3632

Back