[Oisf-devel] Understanding Suricata

Anoop Saldanha anoopsaldanha at gmail.com
Thu Oct 10 07:31:07 UTC 2013


On Wed, Oct 9, 2013 at 11:40 PM, Anil Joshi <aj27744 at gmail.com> wrote:
> Hi All,
>
> Hi i have an query for you actually i need a suggestion if i want to
> understand suricata working that mean how it takes packet how it matches it
> against signtaure how should i proceed?
>

I would suggest taking a pcap and stepping through the code.  You can
use the pcap file interface for this purpose

suricata -c suricata.yaml -r path/to/pcap_file --runmode=single

Suricata is modular, as in, each of the different phases is split into
an identifiable module - receive, decoder, stream, detection, verdict,
logging.

Packets flow though the above sequence in a sequential manner.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------



More information about the Oisf-devel mailing list