[Oisf-users] Suricata dynamic protocol detection

Cooper F. Nelson cnelson at ucsd.edu
Tue Sep 29 16:39:38 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fgrep app-layer /var/log/suricata.log

On 9/29/2015 9:36 AM, Michał Purzyński wrote:
> I was thinking about logs that indicate if app analysers are enabled ;-)
> 
> On Tue, Sep 29, 2015 at 6:26 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> That's just the protocol handler.  The output logs are elsewhere:
> 
>>>>  /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
>>>>   # a line based log of HTTP requests (no alerts)
>>>>   # a line based log of TLS handshake parameters (no alerts)
>>>>   # a line based log of DNS requests and/or replies (no alerts)
>>>>   # a line based log to used with pcap file study.
> 
> There are also rules to alert on protocol events:
> 
>>>> decoder-events.rules
>>>> http-events.rules
>>>> smtp-events.rules
>>>> stream-events.rules
>>>> tls-events.rules
> 
> -Coop
> 
> On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
>>>> Thanks a bunch.
>>>>
>>>> I've enabled everything as in
>>>>
>>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>>>>
>>>> And I don't see any extra log messages when Suricata start, should I
>>>> get any? Looks like not, at least that's what I understand reading the
>>>> code.
>>>>
>>>> Patterns are buried in the C code, an interesting thing for grep for is
>>>>
>>>> grep -E RegisterPatter app-layer-*
>>>>
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWCr7KAAoJEKIFRYQsa8FWlicIALEgjXdrglJfCCF/f1hiM0Z1
0lx6YagXaIPQkUm9E4K+WQEiDhVvjNPrPud6etJtGJ5h7399SkREEu6uOpwFC4JV
8uuHjZ/7UgiTrUvWIexV3TqI30Eh6lhmJiqWGU1wCO8hLfhQZRJmmaKfDx9i/1sy
NtYacuYlfon8OqZg3ongaI77pXjy+Ml78OnqIPxsBY5ixNY8Yp/2mJpYt5ala9GS
fzGOqQM2t4l0uJkjmPQe+xV/qqSPRKvqaXBVGblj9QNa3z1ZagU8MFeu8uSpD9hU
53pNPqmdxWDWTj5kJTG3dPcOAYwKKc8wb/j8HRg2AtNzgbWfbAkdCREzAgT6mmE=
=sahT
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list