[Oisf-users] Advanced Features Examples?

0100 suroot at gmail.com
Wed Jun 30 18:20:19 UTC 2010

Hi All,

Finally getting some time to play with Suricata. So far so good. I
have it building and running no problem, and have started trying to
get PF_RING working. Multicore performance is very impressive.

So now I want to start getting familiar with the more advanced
features but I'm having trouble figuring out how to write rules that
exercise these new features.

Here's some of the things that I think are actually implemented but I
can't figure out how to use them:

- Generally any new rule features above and beyond snort
  - I see mention of keywords in the release notes like http_headers
etc. How do you use these? Is there a place in the code I can look to
easily figure this out? Docs?
  - Port independent matching (how do I find out what the currently
supported protocols are for this?)
- What does rule profiling do and how does it work?
- IP Reputation - not clear on exactly what this even does much less
how to use it. Has this been implemented?
- Global variables: Do you just use flowbits for this and the engine
takes care of it? What are some examples of ways this could be used?



More information about the Oisf-users mailing list