Story #6597
open
Task #4772: tracking: parity between fields logged and fields available for detection
rules: improve rules keyword/output parity
Added by Juliana Fajardini Reichow 11 months ago.
Updated about 1 month ago.
Description
For each application layer protocol, the overall process should be:
i. document the output of running
src/suricata --list-keyword | grep <app-proto>
ii. document the output of the complete EVE log for said protocol
iii. compare that to the schema.json for the app-proto
iv. complete the schema, if needed
v. group the documented outputs from steps i. and ii. by type (e.g. integers)
vi. list candidates for implementation (either as keywords or missing output fields), and share the list on the adequate ticket, request feedback for that on ticket
vii. implement keywords or missing output fields as agreed upon
viii. create or update SV tests to cover new fields/keywords
ix. document new fields/keywords
Deliverables:
iv, vii, viii, ix
Related issues
9 (9 open — 0 closed)
- Description updated (diff)
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
My understanding is that the first step is to complete the json schema for DNS.
like tc boolean field is missing (just reviewing the code in rust/src/dns/log.rs and look for js.set_ calls
- Status changed from New to In Progress
- Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev
I'll assign this to OISF Dev, as this is the parent ticket. Thanks for the work you've done, Hadiqa! :)
- Subject changed from rules keyword/output parity: improve to tracking: impove rules keyword/output parity
- Status changed from In Progress to New
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 8.0.0-beta1 to 8.0.0
- Blocked by Feature #5642: DNS: parity between log fields and detection added
- Blocked by Feature #4153: app-layer: rust derive style macros to generate common code added
- Tracker changed from Task to Story
- Subject changed from tracking: impove rules keyword/output parity to rules: impove rules keyword/output parity
- Related to Feature #6198: Feature Request: Add "SMTP" keywords for use in rules added
- Subject changed from rules: impove rules keyword/output parity to rules: improve rules keyword/output parity
edit: fix type in issue subject
- Related to Task #6476: ftp: parity of logging and detection buffers added
- Related to deleted (Task #6476: ftp: parity of logging and detection buffers)
- Blocked by Task #6476: ftp: parity of logging and detection buffers added
- Blocked by Task #6473: detect: smtp keyword coverage added
- Blocked by Task #6463: eve/output: investigate how to track coverage / parity added
Also available in: Atom
PDF