[Oisf-users] Suricata dynamic protocol detection
Cooper F. Nelson
cnelson at ucsd.edu
Mon Sep 28 16:26:53 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
YAML configuration:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
Source code:
> https://doxygen.openinfosecfoundation.org/detect-app-layer-protocol_8c.html
Here's a script to produce a report of alert keywords from rule files:
> /etc/suricata/rules $ grep -h ^alert *.rules | awk '{print $2}' | sort | uniq -c | sort -rn
Here are results for the current ETPRO ruleset
> 16963 http
> 7624 tcp
> 1584 udp
> 965 ip
> 652 tls
> 103 smtp
> 95 ftp
> 72 pkthdr
> 59 icmp
> 4 ssh
On 9/28/2015 2:51 AM, Micha? Purzy?ski wrote:
> Hello.
>
> Where can I read more about the dynamic protocol detection in
> Suricata? Pointers to specific documentation and/or source code files
> are welcome.
>
> Also, how much of it is really used by ET / ET Pro / VRT rulesets?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWCWpNAAoJEKIFRYQsa8FW6QEH/0Yu0+AuN+ApLXPsBSpd5D1l
EkH7le2Y5+ckiQu663DgGNGGMmMQI+LC4+JHt9sQCrsxPgvwGBpoFMz79RtrGlOl
e7PvkvxR7TomVRYY5KJRSsZo1byL4xgUAUy0eXHeG5XDSskx1etYfJvL+10USpN4
QkelJFDgrAI/bnq5b763xrbdpQPQVV65TzmQIoTpdUq0IM0JvCejiiCOeNxBKEaB
7x5WPUoUQrxSUJwzgb8HT4IS/GY7Z2FyaFsW7q/AgTrG6Jvqcyz2esccQDgdJ1u0
z6RA56ct0NbJWLtfAudDBMVzr1ol9A5XKcPHDjvhzhZG6K2CXvS+WfRqsT3YGgo=
=+3uL
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list