Project

General

Profile

Task #6308

Updated by Juliana Fajardini Reichow over 1 year ago

This is an umbrella ticket. 

 When running Suricata with *--engine-analysis* `--engine-analysis` mode (https://docs.suricata.io/en/latest/command-line-options.html?highlight=engine%20analysis#cmdoption-engine-analysis), the engine generates a profile report on whatever rules it had as input. See more at https://docs.suricata.io/en/latest/configuration/suricata-yaml.html?highlight=engine-analysis#engine-analysis. 

 The purpose of this task is to improve the said report, specifically the `postmatch` section, which expands the keyword matches for each rule. 

 The main goal is to expose the keyword's properties for a JSON object in the key-value format. 

 The keyword will have corresponding source files that will help you know what is the keyword name recognized by the engine, as well as the other fields we are interested in exposing to the engine analysis report. 

 The details about the keyword should be used to create the JSON object, named after the keyword you're working with. 
 The JsonBuilder will have the needed functions for that. 

 Feel free to use the listed PR(s) here, as well as existing code in detect-engine-analyzer.c function *DumpMatches*, as examples.  

 This commit shows Here's an example for of adding details for *byte_test* byte_test and *byte_jump* byte_jump - https://github.com/OISF/suricata/pull/8625/commits/325000ca2bd72edd802122a3d25988183622a69f

Back