Skip to content

Commit

Permalink
schema: add an object for mapping fields to keywords
Browse files Browse the repository at this point in the history 
To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772
  • Loading branch information
@jasonish
jasonish committed Feb 21, 2025
1 parent 3fe80bd commit 76f5697
Showing 1 changed file with 78 additions and 17 deletions.
95 changes: 78 additions & 17 deletions etc/schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,8 @@
"type": "integer"
},
"tx_guessed": {
"description": "the signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect",
"description":
"the signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect",
"type": "boolean"
},
"files": {
Expand Down Expand Up @@ -1033,7 +1034,12 @@
"type": "boolean"
},
"rcode": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.rcode"
]
}
},
"rd": {
"type": "boolean"
Expand Down Expand Up @@ -1069,10 +1075,21 @@
"type": "object",
"properties": {
"rdata": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.answers.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
Expand Down Expand Up @@ -1173,10 +1190,21 @@
"type": "integer"
},
"rrname": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.queries.rrname",
"dns.query"
]
}
},
"rrtype": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.rrtype"
]
}
},
"tx_id": {
"type": "integer"
Expand All @@ -1189,10 +1217,16 @@
},
"opcode": {
"description": "DNS opcode as an integer",
"type": "integer"
"type": "integer",
"suricata": {
"keywords": [
"dns.opcode"
]
}
},
"rrname_truncated": {
"description": "Set to true if the rrname was too long and truncated by Suricata",
"description":
"Set to true if the rrname was too long and truncated by Suricata",
"type": "boolean"
}
},
Expand Down Expand Up @@ -6613,7 +6647,8 @@
"type": "integer"
},
"tc_urgent_oob_data": {
"description": "Number of Out-of-Band bytes sent by server using TCP urgent packets",
"description":
"Number of Out-of-Band bytes sent by server using TCP urgent packets",
"type": "integer"
},
"tcp_flags": {
Expand All @@ -6632,7 +6667,8 @@
"type": "integer"
},
"ts_urgent_oob_data": {
"description": "Number of Out-of-Band bytes sent by client using TCP urgent packets",
"description":
"Number of Out-of-Band bytes sent by client using TCP urgent packets",
"type": "integer"
},
"urg": {
Expand Down Expand Up @@ -6901,7 +6937,8 @@
"type": "integer"
},
"mname_truncated": {
"description": "Set to true if the mname was too long and truncated by Suricata",
"description":
"Set to true if the mname was too long and truncated by Suricata",
"type": "boolean"
}
},
Expand All @@ -6914,10 +6951,21 @@
"type": "object",
"properties": {
"rdata": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.authorities.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
Expand All @@ -6929,11 +6977,13 @@
"$ref": "#/$defs/dns.soa"
},
"rdata_truncated": {
"description": "Set to true if the rdata was too long and truncated by Suricata",
"description":
"Set to true if the rdata was too long and truncated by Suricata",
"type": "boolean"
},
"rrname_truncated": {
"description": "Set to true if the rrname was too long and truncated by Suricata",
"description":
"Set to true if the rrname was too long and truncated by Suricata",
"type": "boolean"
}
},
Expand All @@ -6947,10 +6997,21 @@
"type": "object",
"properties": {
"rdata": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string"
"type": "string",
"suricata": {
"keywords": [
"dns.additionals.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
Expand Down

0 comments on commit 76f5697

Please sign in to comment.