[Oisf-users] Advanced Features Examples?

Victor Julien victor at inliniac.net
Mon Jul 5 15:12:07 UTC 2010

0100 wrote:
> Anyone?
> 0100
> On Wed, Jun 30, 2010 at 11:20 AM, 0100 <suroot at gmail.com> wrote:
>> Hi All,
>> Finally getting some time to play with Suricata. So far so good. I
>> have it building and running no problem, and have started trying to
>> get PF_RING working. Multicore performance is very impressive.
>> So now I want to start getting familiar with the more advanced
>> features but I'm having trouble figuring out how to write rules that
>> exercise these new features.
>> Here's some of the things that I think are actually implemented but I
>> can't figure out how to use them:
>> - Generally any new rule features above and beyond snort
>>  - I see mention of keywords in the release notes like http_headers
>> etc. How do you use these? Is there a place in the code I can look to
>> easily figure this out? Docs?

AFAIK this is a part of Snort as well.

>>  - Port independent matching (how do I find out what the currently
>> supported protocols are for this?)

Basically for a number of protocols (HTTP, SMB, FTP) Suricata auto
detects the proto regardless of the ports.

The following is supposed to work "alert http any any -> any any
(msg:"content match in http"; content:"blah";)", except that it doesn't.
Will be fixed soon :)

>> - What does rule profiling do and how does it work?

It's an indication of how computationally intensive a signature is. It's
really meant for sig writers to identify expensive signatures.

>> - IP Reputation - not clear on exactly what this even does much less
>> how to use it. Has this been implemented?

No. There is some code in place but nothing is functional yet.

>> - Global variables: Do you just use flowbits for this and the engine
>> takes care of it? What are some examples of ways this could be used?

Flowbits operate like in Snort. New is the addition of "flowint". See

More is forthcoming...


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list