[Oisf-users] making progress on my suricata config but.. ;)
r.fulton at auckland.ac.nz
Tue Sep 23 03:00:47 UTC 2014
I recently upgraded suri to 2.0.3 via the SO package. ( I also got the right rule tarball eventually ;) I think...
Naively I simply used my old config and I quickly noticed that a whole lot of rules were not triggering. I discovered that there is now an app-layer section in the yaml file and copying that from SO supplied template resulted in a great improvement.
One question: Is there a definitive list of all the options in the yaml file. I have been using https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml but this does not have app-layer: nor does it have host:. I also note that in my rule directory for 2.0.3 there is a 1.3-suricata.yaml but no 2.0.3. How can I check that I really have the right tarball? If I don't then that would explain the odd error that I reported earlier with a rule generating errors.
I now have one obvious hole: none of the udp signatures are being triggered.
Is there anything that I could have broken in the config that would disable all udp rules?
More information about the Oisf-users