[Oisf-users] Suricata dynamic protocol detection

Michał Purzyński michalpurzynski1 at gmail.com
Tue Sep 29 16:17:47 UTC 2015


Thanks a bunch.

I've enabled everything as in

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml

And I don't see any extra log messages when Suricata start, should I
get any? Looks like not, at least that's what I understand reading the
code.

Patterns are buried in the C code, an interesting thing for grep for is

grep -E RegisterPatter app-layer-*



On Mon, Sep 28, 2015 at 6:26 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> YAML configuration:
>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>
> Source code:
>
>> https://doxygen.openinfosecfoundation.org/detect-app-layer-protocol_8c.html
>
> Here's a script to produce a report of alert keywords from rule files:
>
>> /etc/suricata/rules $ grep -h ^alert *.rules | awk '{print $2}' | sort | uniq -c | sort -rn
>
> Here are results for the current ETPRO ruleset
>
>>   16963 http
>>    7624 tcp
>>    1584 udp
>>     965 ip
>>     652 tls
>>     103 smtp
>>      95 ftp
>>      72 pkthdr
>>      59 icmp
>>       4 ssh
>
> On 9/28/2015 2:51 AM, Micha? Purzy?ski wrote:
>> Hello.
>>
>> Where can I read more about the dynamic protocol detection in
>> Suricata? Pointers to specific documentation and/or source code files
>> are welcome.
>>
>> Also, how much of it is really used by ET / ET Pro / VRT rulesets?
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWCWpNAAoJEKIFRYQsa8FW6QEH/0Yu0+AuN+ApLXPsBSpd5D1l
> EkH7le2Y5+ckiQu663DgGNGGMmMQI+LC4+JHt9sQCrsxPgvwGBpoFMz79RtrGlOl
> e7PvkvxR7TomVRYY5KJRSsZo1byL4xgUAUy0eXHeG5XDSskx1etYfJvL+10USpN4
> QkelJFDgrAI/bnq5b763xrbdpQPQVV65TzmQIoTpdUq0IM0JvCejiiCOeNxBKEaB
> 7x5WPUoUQrxSUJwzgb8HT4IS/GY7Z2FyaFsW7q/AgTrG6Jvqcyz2esccQDgdJ1u0
> z6RA56ct0NbJWLtfAudDBMVzr1ol9A5XKcPHDjvhzhZG6K2CXvS+WfRqsT3YGgo=
> =+3uL
> -----END PGP SIGNATURE-----



More information about the Oisf-users mailing list