Feature #2756
openTask #5074: rules: structured rule input
rules: input in json format
Description
The idea here is that the new rule analyzer can output rules in json. It's quite incomplete at this stage, but when it is complete it would make sense to accept this output as input as well.
Updated by Victor Julien almost 6 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Victor Julien over 5 years ago
- Target version set to TBD
- Effort set to medium
- Difficulty set to high
Updated by Victor Julien about 3 years ago
- Related to Task #4762: Suricon 2021 brainstorm added
Updated by Victor Julien about 3 years ago
- Subject changed from rules input in json format to rules: input in json format
- Assignee deleted (
Community Ticket)
There was quite a bit of interest at suricon 2021. I think the first step should be to define a JSON schema / definition document as a rst doc in a PR to the suricata github repo.
Wrt implementation, I could imagine we start experimenting in suricata-update or a different tool outside of suricata proper, and have that "compile" the JSON into the existing rule format at first.
Updated by Jason Ish about 3 years ago
Victor Julien wrote in #note-5:
There was quite a bit of interest at suricon 2021. I think the first step should be to define a JSON schema / definition document as a
rstdoc in a PR to the suricata github repo.Wrt implementation, I could imagine we start experimenting in suricata-update or a different tool outside of suricata proper, and have that "compile" the JSON into the existing rule format at first.
The 2 pass parser experimenting with in https://redmine.openinfosecfoundation.org/issues/3317 could be extended. This tokenizer/lexer could be extended to be much more fine-grained to the point of breaking down each field in a byte_jump and others to their own struct elements. Essentially creating an AST which is the result of a first pass.
As a result, the rules could be dumped in JSON in mass (with serde) as a conversion tool, and as the data structures are all created now, JSON rules could be consumed with serde as well.
My hesitation with experimenting with this in suricata-update is I think its actually easier to work with this sort of stuff in Rust, and the end result would likely be Rust.