[Oisf-users] Advanced Features Examples?

Victor Julien victor at inliniac.net
Mon Jul 5 15:12:07 UTC 2010 

0100 wrote:
> Anyone?
> 
> 0100
> 
> On Wed, Jun 30, 2010 at 11:20 AM, 0100 <suroot at gmail.com> wrote:
>> Hi All,
>>
>> Finally getting some time to play with Suricata. So far so good. I
>> have it building and running no problem, and have started trying to
>> get PF_RING working. Multicore performance is very impressive.
>>
>> So now I want to start getting familiar with the more advanced
>> features but I'm having trouble figuring out how to write rules that
>> exercise these new features.
>>
>> Here's some of the things that I think are actually implemented but I
>> can't figure out how to use them:
>>
>> - Generally any new rule features above and beyond snort
>>  - I see mention of keywords in the release notes like http_headers
>> etc. How do you use these? Is there a place in the code I can look to
>> easily figure this out? Docs?

AFAIK this is a part of Snort as well.

>>  - Port independent matching (how do I find out what the currently
>> supported protocols are for this?)

Basically for a number of protocols (HTTP, SMB, FTP) Suricata auto
detects the proto regardless of the ports.

The following is supposed to work "alert http any any -> any any
(msg:"content match in http"; content:"blah";)", except that it doesn't.
Will be fixed soon :)

>> - What does rule profiling do and how does it work?

It's an indication of how computationally intensive a signature is. It's
really meant for sig writers to identify expensive signatures.

>> - IP Reputation - not clear on exactly what this even does much less
>> how to use it. Has this been implemented?

No. There is some code in place but nothing is functional yet.

>> - Global variables: Do you just use flowbits for this and the engine
>> takes care of it? What are some examples of ways this could be used?

Flowbits operate like in Snort. New is the addition of "flowint". See
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/84-new-features-series-flowint

More is forthcoming...

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list