[Oisf-users] Suricata dynamic protocol detection
Cooper F. Nelson
cnelson at ucsd.edu
Tue Sep 29 16:39:38 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fgrep app-layer /var/log/suricata.log
On 9/29/2015 9:36 AM, Michał Purzyński wrote:
> I was thinking about logs that indicate if app analysers are enabled ;-)
>
> On Tue, Sep 29, 2015 at 6:26 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> That's just the protocol handler. The output logs are elsewhere:
>
>>>> /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
>>>> # a line based log of HTTP requests (no alerts)
>>>> # a line based log of TLS handshake parameters (no alerts)
>>>> # a line based log of DNS requests and/or replies (no alerts)
>>>> # a line based log to used with pcap file study.
>
> There are also rules to alert on protocol events:
>
>>>> decoder-events.rules
>>>> http-events.rules
>>>> smtp-events.rules
>>>> stream-events.rules
>>>> tls-events.rules
>
> -Coop
>
> On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
>>>> Thanks a bunch.
>>>>
>>>> I've enabled everything as in
>>>>
>>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>>>>
>>>> And I don't see any extra log messages when Suricata start, should I
>>>> get any? Looks like not, at least that's what I understand reading the
>>>> code.
>>>>
>>>> Patterns are buried in the C code, an interesting thing for grep for is
>>>>
>>>> grep -E RegisterPatter app-layer-*
>>>>
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWCr7KAAoJEKIFRYQsa8FWlicIALEgjXdrglJfCCF/f1hiM0Z1
0lx6YagXaIPQkUm9E4K+WQEiDhVvjNPrPud6etJtGJ5h7399SkREEu6uOpwFC4JV
8uuHjZ/7UgiTrUvWIexV3TqI30Eh6lhmJiqWGU1wCO8hLfhQZRJmmaKfDx9i/1sy
NtYacuYlfon8OqZg3ongaI77pXjy+Ml78OnqIPxsBY5ixNY8Yp/2mJpYt5ala9GS
fzGOqQM2t4l0uJkjmPQe+xV/qqSPRKvqaXBVGblj9QNa3z1ZagU8MFeu8uSpD9hU
53pNPqmdxWDWTj5kJTG3dPcOAYwKKc8wb/j8HRg2AtNzgbWfbAkdCREzAgT6mmE=
=sahT
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list