[Oisf-users] Suricata dynamic protocol detection
Peter Manev
petermanev at gmail.com
Tue Sep 29 19:37:48 UTC 2015
On Tue, Sep 29, 2015 at 6:42 PM, Michał Purzyński
<michalpurzynski1 at gmail.com> wrote:
> Code does not have anything special to tell me that app-layer is enabled.
>
> Also
>
> nsm12 :: ~ » fgrep app-layer /var/log/nsm/suricata.log | wc -l
> 1 ↵
> 0
>
> nsm12 :: ~ » wc -l /var/log/nsm/suricata.log
> 227 /var/log/nsm/suricata.log
>
Why not use -
suricata --dump-config |grep app-layer
isn't that of any help?
>
> On Tue, Sep 29, 2015 at 6:39 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> fgrep app-layer /var/log/suricata.log
>>
>> On 9/29/2015 9:36 AM, Michał Purzyński wrote:
>>> I was thinking about logs that indicate if app analysers are enabled ;-)
>>>
>>> On Tue, Sep 29, 2015 at 6:26 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>> That's just the protocol handler. The output logs are elsewhere:
>>>
>>>>>> /etc/suricata $ sudo fgrep 'line based log' suricata.yaml
>>>>>> # a line based log of HTTP requests (no alerts)
>>>>>> # a line based log of TLS handshake parameters (no alerts)
>>>>>> # a line based log of DNS requests and/or replies (no alerts)
>>>>>> # a line based log to used with pcap file study.
>>>
>>> There are also rules to alert on protocol events:
>>>
>>>>>> decoder-events.rules
>>>>>> http-events.rules
>>>>>> smtp-events.rules
>>>>>> stream-events.rules
>>>>>> tls-events.rules
>>>
>>> -Coop
>>>
>>> On 9/29/2015 9:17 AM, Micha? Purzy?ski wrote:
>>>>>> Thanks a bunch.
>>>>>>
>>>>>> I've enabled everything as in
>>>>>>
>>>>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>>>>>>
>>>>>> And I don't see any extra log messages when Suricata start, should I
>>>>>> get any? Looks like not, at least that's what I understand reading the
>>>>>> code.
>>>>>>
>>>>>> Patterns are buried in the C code, an interesting thing for grep for is
>>>>>>
>>>>>> grep -E RegisterPatter app-layer-*
>>>>>>
>>>
>>>
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJWCr7KAAoJEKIFRYQsa8FWlicIALEgjXdrglJfCCF/f1hiM0Z1
>> 0lx6YagXaIPQkUm9E4K+WQEiDhVvjNPrPud6etJtGJ5h7399SkREEu6uOpwFC4JV
>> 8uuHjZ/7UgiTrUvWIexV3TqI30Eh6lhmJiqWGU1wCO8hLfhQZRJmmaKfDx9i/1sy
>> NtYacuYlfon8OqZg3ongaI77pXjy+Ml78OnqIPxsBY5ixNY8Yp/2mJpYt5ala9GS
>> fzGOqQM2t4l0uJkjmPQe+xV/qqSPRKvqaXBVGblj9QNa3z1ZagU8MFeu8uSpD9hU
>> 53pNPqmdxWDWTj5kJTG3dPcOAYwKKc8wb/j8HRg2AtNzgbWfbAkdCREzAgT6mmE=
>> =sahT
>> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list