[Oisf-users] Suricata dynamic protocol detection
Cooper F. Nelson
cnelson at ucsd.edu
Tue Sep 29 16:26:38 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That's just the protocol handler. The output logs are elsewhere:
> /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
> # a line based log of HTTP requests (no alerts)
> # a line based log of TLS handshake parameters (no alerts)
> # a line based log of DNS requests and/or replies (no alerts)
> # a line based log to used with pcap file study.
There are also rules to alert on protocol events:
> decoder-events.rules
> http-events.rules
> smtp-events.rules
> stream-events.rules
> tls-events.rules
- -Coop
On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
> Thanks a bunch.
>
> I've enabled everything as in
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>
> And I don't see any extra log messages when Suricata start, should I
> get any? Looks like not, at least that's what I understand reading the
> code.
>
> Patterns are buried in the C code, an interesting thing for grep for is
>
> grep -E RegisterPatter app-layer-*
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWCru+AAoJEKIFRYQsa8FWoMoH/3njanKlDsN8kWLru/I003sm
1tPiLCvrRaXfct4n2MLAI1rA/SdIEBfeQNGZIMIrV0BRBzeGqqcSl+FPiAu8PnGZ
m5ZsKQCIqiWPC7m8LSmKwBb1bVjbE/RMkduoH1/qLbmA+4OvS9uylxadusBUTn0R
BPTBxL9wJLYFlXx6VTimseGcFUMeKSyycHZAs1AmdggIKVT5KT0xEJ0DaAafG+go
Mv1T2xB9vevTbZO6vjgRetemsA6C2hVZes7Qd67tv48PMyUTKl+kie5rqXcj9xgD
UcuCXdUVePgGfyYTXgcisUTiXUa6g8FAmGgtFUxmyeTMg6XE8vT60uECG2Y1GfM=
=xDDB
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list