[Oisf-users] Suricata dynamic protocol detection

Cooper F. Nelson cnelson at ucsd.edu
Tue Sep 29 16:26:38 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's just the protocol handler.  The output logs are elsewhere:

>  /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
>   # a line based log of HTTP requests (no alerts)
>   # a line based log of TLS handshake parameters (no alerts)
>   # a line based log of DNS requests and/or replies (no alerts)
>   # a line based log to used with pcap file study.

There are also rules to alert on protocol events:

> decoder-events.rules
> http-events.rules
> smtp-events.rules
> stream-events.rules
> tls-events.rules

- -Coop

On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
> Thanks a bunch.
> 
> I've enabled everything as in
> 
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
> 
> And I don't see any extra log messages when Suricata start, should I
> get any? Looks like not, at least that's what I understand reading the
> code.
> 
> Patterns are buried in the C code, an interesting thing for grep for is
> 
> grep -E RegisterPatter app-layer-*
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWCru+AAoJEKIFRYQsa8FWoMoH/3njanKlDsN8kWLru/I003sm
1tPiLCvrRaXfct4n2MLAI1rA/SdIEBfeQNGZIMIrV0BRBzeGqqcSl+FPiAu8PnGZ
m5ZsKQCIqiWPC7m8LSmKwBb1bVjbE/RMkduoH1/qLbmA+4OvS9uylxadusBUTn0R
BPTBxL9wJLYFlXx6VTimseGcFUMeKSyycHZAs1AmdggIKVT5KT0xEJ0DaAafG+go
Mv1T2xB9vevTbZO6vjgRetemsA6C2hVZes7Qd67tv48PMyUTKl+kie5rqXcj9xgD
UcuCXdUVePgGfyYTXgcisUTiXUa6g8FAmGgtFUxmyeTMg6XE8vT60uECG2Y1GfM=
=xDDB
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list