Project

General

Profile

Actions

Feature #4174

open

tracking: app-layer frame inspection support

Added by Victor Julien about 4 years ago. Updated 4 months ago.

Status:
In Progress
Priority:
High
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Effort to make it possible to avoid raw tcp data inspection. Many rules looking for application records make assumptions about pdu's aligning with packets.

Rules should be able to do something like alert ftp ... (frame:ftp.command; content:"USER"; ... ).

Frames should be defined by the app-layer parsers.


Subtasks 37 (24 open13 closed)

Task #4871: tracking: implement frames for all parsersNewOISF DevActions
Feature #4872: nfs: add stream app-layer frame support ClosedSam MohammadActions
Feature #4904: dcerpc: frames supportIn ReviewShivani BhardwajActions
Feature #4905: smtp: add stream app-layer frame support ClosedVictor JulienActions
Feature #4906: ftp: add stream app-layer frame support AssignedOISF DevActions
Feature #4984: dns: add frames supportClosedJason IshActions
Feature #4985: quic: support framesRejectedPhilippe AntoineActions
Feature #4986: pgsql: support framesIn ProgressJuliana Fajardini ReichowActions
Feature #5036: sip: add frames supportClosedVictor JulienActions
Feature #5716: rdp: add app-layer frame supportNewOISF DevActions
Feature #5717: rfb: add frame supportClosedHaleema KhanActions
Feature #5726: ike: add frame supportNewOISF DevActions
Feature #5727: krb: add frame supportNewOISF DevActions
Feature #5728: modbus: add frame supportNewOISF DevActions
Feature #5729: bittorrent-dht: add frame supportNewOISF DevActions
Feature #5730: dhcp: add frame supportNewOISF DevActions
Feature #5731: mqtt: add frame supportClosedHaleema KhanActions
Feature #5732: ntp: add frame supportNewOISF DevActions
Feature #5733: snmp: add frame supportNewOISF DevActions
Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Feature #5743: http2: add frame supportClosedPhilippe AntoineActions
Feature #7177: http1: add frame supportNewOISF DevActions
Feature #4976: frames: implement/complete profiling supportNewOISF DevActions
Optimization #4977: frames: gap handling in inspectionClosedVictor JulienActions
Feature #4979: frames: implement dynamic logic to disable frames of a typeClosedVictor JulienActions
Documentation #4980: doc/frames: document frame rule keywordIn ProgressJuliana Fajardini ReichowActions
Feature #4981: frames: add general <app_proto>.stream framesClosedVictor JulienActions
Feature #4983: frames: support UDPClosedVictor JulienActions
Optimization #4987: frames: unify handling of getting frame data, flagsAssignedVictor JulienActions
Feature #4988: frames: logging improvementsNewOISF DevActions
Feature #4982: frames: selective frame loggingNewOISF DevActions
Feature #4989: eve/alert: make frame logging configurableNewOISF DevActions
Feature #4990: eve/frames: make payload logging configurableNewOISF DevActions
Feature #5051: output/frames: allow tx logging to reference framesNewOISF DevActions
Feature #5826: frames: logging of events set on framesNewVictor JulienActions
Feature #5049: detect/frames: allow mixing with txsAssignedVictor JulienActions
Task #5050: rules/frames: settle on rule syntaxAssignedVictor JulienActions

Related issues 3 (2 open1 closed)

Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Documentation #4697: devguide: document app-layer frame supportClosedJuliana Fajardini ReichowActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Actions

Also available in: Atom PDF