From: Jason Ish Date: Fri, 20 Jun 2025 18:07:11 +0000 (-0600) Subject: eve/schema: map mdns properties that have keywords X-Git-Tag: suricata-8.0.0~41 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=ddb77d061e6e186e52b16ee3a0e05b5caa142aa6;p=thirdparty%2Fsuricata.git eve/schema: map mdns properties that have keywords Also add descriptions for the EVE index. --- diff --git a/etc/schema.json b/etc/schema.json index 5149a7dd4c..d90b4ea4b5 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -2831,7 +2831,45 @@ "additionals": { "description": "mDNS additional records", "type": "array", - "minItems": 1 + "minItems": 1, + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "ptr": { + "type": "string", + "description": "Value of the requested PTR record", + "suricata": { + "keywords": [ + "mdns.response.rrname" + ] + } + }, + "rrname": { + "type": "string", + "description": "Resource name of the record being returned", + "suricata": { + "keywords": [ + "mdns.additionals.rrname", + "mdns.response.rrname" + ] + } + }, + "rrname_truncated": { + "description": "Name was truncated by Suricata due to length", + "type": "boolean", + "$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)" + }, + "txt": { + "type": "array", + "description": "Value of the requested TXT record", + "minItems": 1, + "items": { + "type": "string" + } + } + } + } }, "answers": { "description": "mDNS answer records", @@ -2842,14 +2880,37 @@ "additionalProperties": false, "properties": { "ptr": { - "type": "string" + "type": "string", + "description": "Value of the requested PTR record", + "suricata": { + "$comment": "No specific ptr keywords exists", + "keywords": [ + "mdns.response.rrname" + ] + } }, "rrname": { - "type": "string" + "type": "string", + "description": "Resource name of the record being returned", + "suricata": { + "keywords": [ + "mdns.answers.rrname", + "mdns.response.rrname" + ] + } + }, + "rrname_truncated": { + "description": "Name was truncated by Suricata due to length", + "type": "boolean", + "$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)" }, "txt": { "type": "array", - "minItems": 1 + "description": "Value of the requested TXT record", + "minItems": 1, + "items": { + "type": "string" + } } } } @@ -2857,7 +2918,28 @@ "authorities": { "description": "mDNS authority records", "type": "array", - "minItems": 1 + "minItems": 1, + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "rrname": { + "type": "string", + "description": "Resource name of the record being returned", + "suricata": { + "keywords": [ + "mdns.authorities.rrname", + "mdns.response.rrname" + ] + } + }, + "rrname_truncated": { + "description": "Name was truncated by Suricata due to length", + "type": "boolean", + "$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)" + } + } + } }, "flags": { "description": "mDNS message flags", @@ -2912,10 +2994,22 @@ "type": "object", "properties": { "rrname": { - "type": "string" + "description": "Resource name being requested", + "type": "string", + "suricata": { + "keywords": [ + "mdns.queries.rrname" + ] + } + }, + "rrname_truncated": { + "description": "Name was truncated by Suricata due to length", + "type": "boolean", + "$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)" }, "rrtype": { - "type": "string" + "type": "string", + "description": "Type of resource being requested" } } }