Project

General

Profile

Actions
Copy link

Task #5181

open

detect/engine-analyzer: add rule analyzer warnings about rules that could use the frame keyword/semantics/feature

Added by Juliana Fajardini Reichow over 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

With the addition of frame support, the rule analyzer could now also check for rules with patterns like:
- For SMB traffic: check for content "|FF|" or "|FE|" (especially with "startswith")
- For TLS traffic: check for contents "|16 03 03|" (especially with "startswith")
- ... similar patterns for other protocols
And issue warnings that those can be converted to the new frame semantics.

This task must wait on the definition of the frame keyword/semantics syntax.

Related issues 1 (1 open0 closed)

Related to Suricata - Task #5050: rules/frames: settle on rule syntaxAssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Juliana Fajardini Reichow over 2 years ago

  • Related to Task #5050: rules/frames: settle on rule syntax added
Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #3

Updated by Victor Julien 10 months ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions
Copy link

Also available in: Atom PDF