From: Jason Ish Date: Wed, 19 Feb 2025 22:34:22 +0000 (-0600) Subject: schema: add an object for mapping fields to keywords X-Git-Tag: suricata-8.0.0-beta1~316 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=115d7d3c6dc7a932211a66aabe1bb775efc057ca;p=thirdparty%2Fsuricata.git schema: add an object for mapping fields to keywords To some EVE fields and a "suricata" object that contains an array of keywords. These are the keywords that map directly to this field, or somehow cover this field. This is an attempt at tooling to help with EVE and keyword parity. Related to tickets: #5642, #6463, #4772 --- diff --git a/etc/schema.json b/etc/schema.json index 3a877aabb9..e4dc42a4e8 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -116,7 +116,8 @@ "type": "integer" }, "tx_guessed": { - "description": "the signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect", + "description": + "the signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect", "type": "boolean" }, "files": { @@ -1033,7 +1034,12 @@ "type": "boolean" }, "rcode": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.rcode" + ] + } }, "rd": { "type": "boolean" @@ -1069,10 +1075,21 @@ "type": "object", "properties": { "rdata": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.response.rrname" + ] + } }, "rrname": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.answers.rrname", + "dns.response.rrname" + ] + } }, "rrtype": { "type": "string" @@ -1173,10 +1190,21 @@ "type": "integer" }, "rrname": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.queries.rrname", + "dns.query" + ] + } }, "rrtype": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.rrtype" + ] + } }, "tx_id": { "type": "integer" @@ -1189,10 +1217,16 @@ }, "opcode": { "description": "DNS opcode as an integer", - "type": "integer" + "type": "integer", + "suricata": { + "keywords": [ + "dns.opcode" + ] + } }, "rrname_truncated": { - "description": "Set to true if the rrname was too long and truncated by Suricata", + "description": + "Set to true if the rrname was too long and truncated by Suricata", "type": "boolean" } }, @@ -6613,7 +6647,8 @@ "type": "integer" }, "tc_urgent_oob_data": { - "description": "Number of Out-of-Band bytes sent by server using TCP urgent packets", + "description": + "Number of Out-of-Band bytes sent by server using TCP urgent packets", "type": "integer" }, "tcp_flags": { @@ -6632,7 +6667,8 @@ "type": "integer" }, "ts_urgent_oob_data": { - "description": "Number of Out-of-Band bytes sent by client using TCP urgent packets", + "description": + "Number of Out-of-Band bytes sent by client using TCP urgent packets", "type": "integer" }, "urg": { @@ -6901,7 +6937,8 @@ "type": "integer" }, "mname_truncated": { - "description": "Set to true if the mname was too long and truncated by Suricata", + "description": + "Set to true if the mname was too long and truncated by Suricata", "type": "boolean" } }, @@ -6914,10 +6951,21 @@ "type": "object", "properties": { "rdata": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.response.rrname" + ] + } }, "rrname": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.authorities.rrname", + "dns.response.rrname" + ] + } }, "rrtype": { "type": "string" @@ -6929,11 +6977,13 @@ "$ref": "#/$defs/dns.soa" }, "rdata_truncated": { - "description": "Set to true if the rdata was too long and truncated by Suricata", + "description": + "Set to true if the rdata was too long and truncated by Suricata", "type": "boolean" }, "rrname_truncated": { - "description": "Set to true if the rrname was too long and truncated by Suricata", + "description": + "Set to true if the rrname was too long and truncated by Suricata", "type": "boolean" } }, @@ -6947,10 +6997,21 @@ "type": "object", "properties": { "rdata": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.response.rrname" + ] + } }, "rrname": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "dns.additionals.rrname", + "dns.response.rrname" + ] + } }, "rrtype": { "type": "string"