In the event folder on github repo (+), some rules have variable in flowint, like tls.anomaly.count,+,1.
1- Do these events create an anomaly event type in eve.json?
2- Why app-layer-event like tls.invalid_sslv2_header not defined in src codes?
On suricata documents (+) , I noticed that the tls.anomaly.count variable is created and added one by one. We can use this variable on rules and generate an alert If the condition is met.
On other suricata documents page(+), It has been said that three types of anomaly are identified in suricata: Decode, Stream and Application layer. I find In src folder, decode-event.c (+) and applayer-enet.c (+) than define this three type of anomaly and used in output-json-anomaly.c (+).
3- Is there a flowchart for the relationships between Suricata files?
4- Is it possible to define a rule with the type of anomaly?
5- Why use *.anomaly.count variable in other rules file like tls-events and so on?
6- How to write the value of this variable in the output?
7- Where is anomaly variables used other than the rules?
8- Is this value effect on the evn.json output?