[Oisf-users] Suricata dynamic protocol detection

Michał Purzyński michalpurzynski1 at gmail.com
Tue Sep 29 16:36:11 UTC 2015


I was thinking about logs that indicate if app analysers are enabled ;-)

On Tue, Sep 29, 2015 at 6:26 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> That's just the protocol handler.  The output logs are elsewhere:
>
>>  /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
>>   # a line based log of HTTP requests (no alerts)
>>   # a line based log of TLS handshake parameters (no alerts)
>>   # a line based log of DNS requests and/or replies (no alerts)
>>   # a line based log to used with pcap file study.
>
> There are also rules to alert on protocol events:
>
>> decoder-events.rules
>> http-events.rules
>> smtp-events.rules
>> stream-events.rules
>> tls-events.rules
>
> - -Coop
>
> On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
>> Thanks a bunch.
>>
>> I've enabled everything as in
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>>
>> And I don't see any extra log messages when Suricata start, should I
>> get any? Looks like not, at least that's what I understand reading the
>> code.
>>
>> Patterns are buried in the C code, an interesting thing for grep for is
>>
>> grep -E RegisterPatter app-layer-*
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWCru+AAoJEKIFRYQsa8FWoMoH/3njanKlDsN8kWLru/I003sm
> 1tPiLCvrRaXfct4n2MLAI1rA/SdIEBfeQNGZIMIrV0BRBzeGqqcSl+FPiAu8PnGZ
> m5ZsKQCIqiWPC7m8LSmKwBb1bVjbE/RMkduoH1/qLbmA+4OvS9uylxadusBUTn0R
> BPTBxL9wJLYFlXx6VTimseGcFUMeKSyycHZAs1AmdggIKVT5KT0xEJ0DaAafG+go
> Mv1T2xB9vevTbZO6vjgRetemsA6C2hVZes7Qd67tv48PMyUTKl+kie5rqXcj9xgD
> UcuCXdUVePgGfyYTXgcisUTiXUa6g8FAmGgtFUxmyeTMg6XE8vT60uECG2Y1GfM=
> =xDDB
> -----END PGP SIGNATURE-----



More information about the Oisf-users mailing list