[Oisf-devel] Helloworld Detection Plugin not working completely

Victor Julien victor at inliniac.net
Mon Nov 24 13:48:36 UTC 2014

On 11/24/2014 01:39 PM, Paul Mroszczyk wrote:
> Not a problem.  Thank you for creating Suricata!
> Btw, if I may suggest something... someone's who's reading that
> helloworld tutorial might only have a vague idea of what a rule is at
> that point :)  I didn't - I got introduced to Suricata as a developer
> rather than an admin, so I was learning about Suricata on-the-fly.  I
> would add an example of a rule to that documentation:

Interesting, I had never considered developers to be not at least a
little acquainted with the user side.

> alert tcp any any -> any any (msg:"helloworld 12"; helloworld:1,2;
> sid:1234567; rev:1;)
> (not sure if sid is unique, might have to check that, otherwise the rule
> should work as written)

Added, thanks!

Btw, feel free to add more explanation to the page as you see fit.


> Regards,
> Paul
> On 2014-11-24 12:24, Victor Julien wrote:
>> On 11/18/2014 10:16 PM, Paul Mroszczyk wrote:
>>> Okay, I figured it out by debugging.  Maybe some else will find this
>>> useful in the future:
>>> It turns out that adding a detection plugin is not merely enough to
>>> see it in action.  What I wish the tutorial would mention is that you
>>> also need to add a rule that will reference that plugin.  Here's an
>>> example line that I added to one of the rules files to make it work:
>>> alert tcp any any ->  any any (msg:"helloworld 1"; helloworld:blabla;
>>> sid:2219987; rev:2;)
>>> During initilisation, as this rule was read, helloworld's setup
>>> function was finally called.
>> I've added a small note to the wiki page. Thanks for the feedback!
>> Cheers,
>> Victor

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list