Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Go to file
Victor Julien b84d6d402f detect grouping: multiple whitelist conditions
Instead of the binary yes/no whitelisting used so far, use different
values for different sorts of whitelist reasons. The port list will
be sorted by whitelist value first, then by rule count.

The goal is to whitelist groups that have weak sigs:

 - 1 byte pattern groups

 - SYN sigs

    Rules that check for SYN packets are mostly scan detection rules.
    They will be checked often as SYN packets are very common.

    e.g. alert tcp any any -> any 22 (flags:S,12; sid:123;)

    This patch adds whitelisting for SYN-sigs, so that the sigs end up
    in as unique groups as possible.

 - negated mpm sigs

    Currently negated mpm sigs are inspected often, so they are quite
    expensive. For this reason, try to whitelist them.

These values are set during 'stage 1', rule preprocessing.
9 years ago
benches
contrib suri-graphite: add ouput to file option 10 years ago
doc Fix make distcheck on CentOS 5.11 11 years ago
lua output-lua: add SCPacketTimeString 11 years ago
m4
qa hyperscan: add DrMemory suppressions 9 years ago
rules rules: add rules for TLS SNI app layer events 9 years ago
scripts app-layer setup scripts: enable new modules on copy 10 years ago
src detect grouping: multiple whitelist conditions 9 years ago
.gitignore unittest: make check use a qa/log dir for logging 12 years ago
.travis.yml travis: set CFLAGS to error on cc warnings 10 years ago
COPYING GPL license sync with official gpl-2.0.txt 10 years ago
ChangeLog Update Changelog for 3.0.1 9 years ago
LICENSE GPL license sync with official gpl-2.0.txt 10 years ago
Makefile.am build: install app-layer-events.rules 10 years ago
Makefile.cvs
acsite.m4
autogen.sh OpenBSD 5.2 build fixes, Unit test fix. 13 years ago
classification.config
config.rpath Add file needed for some autotools version. 12 years ago
configure.ac Open Suricata 3.1 development branch 9 years ago
doxygen.cfg doxygen: add source browser 11 years ago
reference.config Update reference.config 11 years ago
suricata.yaml.in mpm: remove obsolete mpm algos 9 years ago
threshold.config