[Oisf-users] Suricata dynamic protocol detection

Cooper F. Nelson cnelson at ucsd.edu
Mon Sep 28 16:26:53 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

YAML configuration:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml

Source code:

> https://doxygen.openinfosecfoundation.org/detect-app-layer-protocol_8c.html

Here's a script to produce a report of alert keywords from rule files:

> /etc/suricata/rules $ grep -h ^alert *.rules | awk '{print $2}' | sort | uniq -c | sort -rn

Here are results for the current ETPRO ruleset

>   16963 http
>    7624 tcp
>    1584 udp
>     965 ip
>     652 tls
>     103 smtp
>      95 ftp
>      72 pkthdr
>      59 icmp
>       4 ssh

On 9/28/2015 2:51 AM, Micha? Purzy?ski wrote:
> Hello.
> 
> Where can I read more about the dynamic protocol detection in
> Suricata? Pointers to specific documentation and/or source code files
> are welcome.
> 
> Also, how much of it is really used by ET / ET Pro / VRT rulesets?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWCWpNAAoJEKIFRYQsa8FW6QEH/0Yu0+AuN+ApLXPsBSpd5D1l
EkH7le2Y5+ckiQu663DgGNGGMmMQI+LC4+JHt9sQCrsxPgvwGBpoFMz79RtrGlOl
e7PvkvxR7TomVRYY5KJRSsZo1byL4xgUAUy0eXHeG5XDSskx1etYfJvL+10USpN4
QkelJFDgrAI/bnq5b763xrbdpQPQVV65TzmQIoTpdUq0IM0JvCejiiCOeNxBKEaB
7x5WPUoUQrxSUJwzgb8HT4IS/GY7Z2FyaFsW7q/AgTrG6Jvqcyz2esccQDgdJ1u0
z6RA56ct0NbJWLtfAudDBMVzr1ol9A5XKcPHDjvhzhZG6K2CXvS+WfRqsT3YGgo=
=+3uL
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list