Feature #435: list keyword commandline options - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #435

closed

list keyword commandline options

Added by Victor Julien over 12 years ago. Updated almost 12 years ago.

Status:

Closed

Priority:

Low

Assignee:

Eric Leblond

Target version:

1.4rc1

Effort:

Difficulty:

Label:

Description

Option or options to list keywords available, including whether or not they are compatible with "ip only", if they inspect "state" etc. Maybe just a --list-keywords with output like:

Name        | Features           | Description
flowbits    | ip-only compatible | Set/check flowbits in a flow.
tls.subject | state inspecting   | Match TLS/SSL certificate Subject field

Actions

Copy link

Updated by Victor Julien over 12 years ago

Target version changed from 1.3beta2 to 1.4

Actions

Copy link

Updated by Victor Julien about 12 years ago

Target version changed from 1.4 to 1.4beta3

Actions

Copy link

Updated by Victor Julien about 12 years ago

Priority changed from Normal to Low

Actions

Copy link

Updated by Eric Leblond almost 12 years ago

Assignee changed from OISF Dev to Eric Leblond

Actions

Copy link

Updated by Eric Leblond almost 12 years ago

% Done changed from 0 to 80

See PR https://github.com/inliniac/suricata/pull/180

Actions

Copy link

Updated by Eric Leblond almost 12 years ago

% Done changed from 80 to 60

I forgot an important part: the keyword code has to be updated to add the features and description information.

Actions

Copy link

Updated by Eric Leblond almost 12 years ago

% Done changed from 60 to 80

Proposed update: https://github.com/inliniac/suricata/pull/195

A few keywords are missing:

tag;;ALPROTO_UNKNOWN;none;;
uricontent;;ALPROTO_HTTP;payload inspecting rule;;
replace;;ALPROTO_UNKNOWN;payload inspecting rule;;
rawbytes;;ALPROTO_UNKNOWN;No option:payload inspecting rule;;
byte_test;;ALPROTO_UNKNOWN;payload inspecting rule;;
byte_jump;;ALPROTO_UNKNOWN;payload inspecting rule;;
ftpbounce;;ALPROTO_FTP;none;;
flowvar;;ALPROTO_UNKNOWN;none;;
pktvar;;ALPROTO_UNKNOWN;payload inspecting rule;;
noalert;;ALPROTO_UNKNOWN;No option;;
ipv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv6-csum;;ALPROTO_UNKNOWN;none;;
udpv4-csum;;ALPROTO_UNKNOWN;none;;
udpv6-csum;;ALPROTO_UNKNOWN;none;;
icmpv4-csum;;ALPROTO_UNKNOWN;none;;
icmpv6-csum;;ALPROTO_UNKNOWN;none;;
tos;;ALPROTO_UNKNOWN;none;;
icmp_id;;ALPROTO_UNKNOWN;none;;
decode-event;;ALPROTO_UNKNOWN;IP only rule;;
flags;;ALPROTO_UNKNOWN;none;;
nfq_set_mark;;ALPROTO_UNKNOWN;none;;
http_raw_header;;ALPROTO_HTTP;payload inspecting rule;;
ssh.protoversion;;ALPROTO_SSH;none;;
ssh.softwareversion;;ALPROTO_SSH;none;;
ssl_version;;ALPROTO_TLS;none;;
ssl_state;;ALPROTO_TLS;none;;
byte_extract;;ALPROTO_UNKNOWN;payload inspecting rule;;
pkt_data;;ALPROTO_HTTP;none;;
app-layer-event;;ALPROTO_UNKNOWN;none;;
dce_iface;;ALPROTO_DCERPC;payload inspecting rule;;
dce_opnum;;ALPROTO_DCERPC;payload inspecting rule;;
dce_stub_data;;ALPROTO_DCERPC;payload inspecting rule;;
asn1;;ALPROTO_UNKNOWN;none;;
engine-event;;ALPROTO_UNKNOWN;none;;
stream-event;;ALPROTO_UNKNOWN;none;;
l3_proto;;ALPROTO_UNKNOWN;none;;
luajit;;ALPROTO_HTTP;none;;

By the way, last line is strange.

Actions

Copy link