[Oisf-devel] Helloworld Detection Plugin not working completely
Victor Julien
victor at inliniac.net
Mon Nov 24 13:48:36 UTC 2014
On 11/24/2014 01:39 PM, Paul Mroszczyk wrote:
> Not a problem. Thank you for creating Suricata!
>
> Btw, if I may suggest something... someone's who's reading that
> helloworld tutorial might only have a vague idea of what a rule is at
> that point :) I didn't - I got introduced to Suricata as a developer
> rather than an admin, so I was learning about Suricata on-the-fly. I
> would add an example of a rule to that documentation:
Interesting, I had never considered developers to be not at least a
little acquainted with the user side.
> alert tcp any any -> any any (msg:"helloworld 12"; helloworld:1,2;
> sid:1234567; rev:1;)
>
> (not sure if sid is unique, might have to check that, otherwise the rule
> should work as written)
Added, thanks!
Btw, feel free to add more explanation to the page as you see fit.
Cheers,
Victor
> Regards,
>
> Paul
>
>
> On 2014-11-24 12:24, Victor Julien wrote:
>> On 11/18/2014 10:16 PM, Paul Mroszczyk wrote:
>>> Okay, I figured it out by debugging. Maybe some else will find this
>>> useful in the future:
>>>
>>> It turns out that adding a detection plugin is not merely enough to
>>> see it in action. What I wish the tutorial would mention is that you
>>> also need to add a rule that will reference that plugin. Here's an
>>> example line that I added to one of the rules files to make it work:
>>>
>>> alert tcp any any -> any any (msg:"helloworld 1"; helloworld:blabla;
>>> sid:2219987; rev:2;)
>>>
>>> During initilisation, as this rule was read, helloworld's setup
>>> function was finally called.
>>
>> I've added a small note to the wiki page. Thanks for the feedback!
>>
>> Cheers,
>> Victor
>>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list