Feature #435
closed
list keyword commandline options
Added by Victor Julien over 12 years ago.
Updated almost 12 years ago.
Description
Option or options to list keywords available, including whether or not they are compatible with "ip only", if they inspect "state" etc. Maybe just a --list-keywords with output like:
Name | Features | Description
flowbits | ip-only compatible | Set/check flowbits in a flow.
tls.subject | state inspecting | Match TLS/SSL certificate Subject field
- Target version changed from 1.3beta2 to 1.4
- Target version changed from 1.4 to 1.4beta3
- Priority changed from Normal to Low
- Assignee changed from OISF Dev to Eric Leblond
- % Done changed from 0 to 80
- % Done changed from 80 to 60
I forgot an important part: the keyword code has to be updated to add the features and description information.
- % Done changed from 60 to 80
Proposed update: https://github.com/inliniac/suricata/pull/195
A few keywords are missing:
tag;;ALPROTO_UNKNOWN;none;;
uricontent;;ALPROTO_HTTP;payload inspecting rule;;
replace;;ALPROTO_UNKNOWN;payload inspecting rule;;
rawbytes;;ALPROTO_UNKNOWN;No option:payload inspecting rule;;
byte_test;;ALPROTO_UNKNOWN;payload inspecting rule;;
byte_jump;;ALPROTO_UNKNOWN;payload inspecting rule;;
ftpbounce;;ALPROTO_FTP;none;;
flowvar;;ALPROTO_UNKNOWN;none;;
pktvar;;ALPROTO_UNKNOWN;payload inspecting rule;;
noalert;;ALPROTO_UNKNOWN;No option;;
ipv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv4-csum;;ALPROTO_UNKNOWN;none;;
tcpv6-csum;;ALPROTO_UNKNOWN;none;;
udpv4-csum;;ALPROTO_UNKNOWN;none;;
udpv6-csum;;ALPROTO_UNKNOWN;none;;
icmpv4-csum;;ALPROTO_UNKNOWN;none;;
icmpv6-csum;;ALPROTO_UNKNOWN;none;;
tos;;ALPROTO_UNKNOWN;none;;
icmp_id;;ALPROTO_UNKNOWN;none;;
decode-event;;ALPROTO_UNKNOWN;IP only rule;;
flags;;ALPROTO_UNKNOWN;none;;
nfq_set_mark;;ALPROTO_UNKNOWN;none;;
http_raw_header;;ALPROTO_HTTP;payload inspecting rule;;
ssh.protoversion;;ALPROTO_SSH;none;;
ssh.softwareversion;;ALPROTO_SSH;none;;
ssl_version;;ALPROTO_TLS;none;;
ssl_state;;ALPROTO_TLS;none;;
byte_extract;;ALPROTO_UNKNOWN;payload inspecting rule;;
pkt_data;;ALPROTO_HTTP;none;;
app-layer-event;;ALPROTO_UNKNOWN;none;;
dce_iface;;ALPROTO_DCERPC;payload inspecting rule;;
dce_opnum;;ALPROTO_DCERPC;payload inspecting rule;;
dce_stub_data;;ALPROTO_DCERPC;payload inspecting rule;;
asn1;;ALPROTO_UNKNOWN;none;;
engine-event;;ALPROTO_UNKNOWN;none;;
stream-event;;ALPROTO_UNKNOWN;none;;
l3_proto;;ALPROTO_UNKNOWN;none;;
luajit;;ALPROTO_HTTP;none;;
By the way, last line is strange.
- Target version changed from 1.4beta3 to 1.4rc1
- Status changed from New to Closed
- % Done changed from 80 to 100
Also available in: Atom
PDF