[Oisf-users] Suricata dynamic protocol detection
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Sep 29 16:42:23 UTC 2015
Code does not have anything special to tell me that app-layer is enabled.
Also
nsm12 :: ~ » fgrep app-layer /var/log/nsm/suricata.log | wc -l
1 ↵
0
nsm12 :: ~ » wc -l /var/log/nsm/suricata.log
227 /var/log/nsm/suricata.log
On Tue, Sep 29, 2015 at 6:39 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> fgrep app-layer /var/log/suricata.log
>
> On 9/29/2015 9:36 AM, Michał Purzyński wrote:
>> I was thinking about logs that indicate if app analysers are enabled ;-)
>>
>> On Tue, Sep 29, 2015 at 6:26 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> That's just the protocol handler. The output logs are elsewhere:
>>
>>>>> /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
>>>>> # a line based log of HTTP requests (no alerts)
>>>>> # a line based log of TLS handshake parameters (no alerts)
>>>>> # a line based log of DNS requests and/or replies (no alerts)
>>>>> # a line based log to used with pcap file study.
>>
>> There are also rules to alert on protocol events:
>>
>>>>> decoder-events.rules
>>>>> http-events.rules
>>>>> smtp-events.rules
>>>>> stream-events.rules
>>>>> tls-events.rules
>>
>> -Coop
>>
>> On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
>>>>> Thanks a bunch.
>>>>>
>>>>> I've enabled everything as in
>>>>>
>>>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>>>>>
>>>>> And I don't see any extra log messages when Suricata start, should I
>>>>> get any? Looks like not, at least that's what I understand reading the
>>>>> code.
>>>>>
>>>>> Patterns are buried in the C code, an interesting thing for grep for is
>>>>>
>>>>> grep -E RegisterPatter app-layer-*
>>>>>
>>
>>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWCr7KAAoJEKIFRYQsa8FWlicIALEgjXdrglJfCCF/f1hiM0Z1
> 0lx6YagXaIPQkUm9E4K+WQEiDhVvjNPrPud6etJtGJ5h7399SkREEu6uOpwFC4JV
> 8uuHjZ/7UgiTrUvWIexV3TqI30Eh6lhmJiqWGU1wCO8hLfhQZRJmmaKfDx9i/1sy
> NtYacuYlfon8OqZg3ongaI77pXjy+Ml78OnqIPxsBY5ixNY8Yp/2mJpYt5ala9GS
> fzGOqQM2t4l0uJkjmPQe+xV/qqSPRKvqaXBVGblj9QNa3z1ZagU8MFeu8uSpD9hU
> 53pNPqmdxWDWTj5kJTG3dPcOAYwKKc8wb/j8HRg2AtNzgbWfbAkdCREzAgT6mmE=
> =sahT
> -----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list