mirror of https://github.com/OISF/suricata
cybersecurityidsintrusion-detection-systemintrusion-prevention-systemipsnetwork-monitornetwork-monitoringnsmsecuritysuricatathreat-hunting
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
b84d6d402f
Instead of the binary yes/no whitelisting used so far, use different
values for different sorts of whitelist reasons. The port list will
be sorted by whitelist value first, then by rule count.
The goal is to whitelist groups that have weak sigs:
- 1 byte pattern groups
- SYN sigs
Rules that check for SYN packets are mostly scan detection rules.
They will be checked often as SYN packets are very common.
e.g. alert tcp any any -> any 22 (flags:S,12; sid:123;)
This patch adds whitelisting for SYN-sigs, so that the sigs end up
in as unique groups as possible.
- negated mpm sigs
Currently negated mpm sigs are inspected often, so they are quite
expensive. For this reason, try to whitelist them.
These values are set during 'stage 1', rule preprocessing.
|
9 years ago | |
|---|---|---|
| benches | ||
| contrib | 10 years ago | |
| doc | ||
| lua | ||
| m4 | ||
| qa | 9 years ago | |
| rules | 10 years ago | |
| scripts | 10 years ago | |
| src | 9 years ago | |
| .gitignore | ||
| .travis.yml | 10 years ago | |
| COPYING | 10 years ago | |
| ChangeLog | 9 years ago | |
| LICENSE | 10 years ago | |
| Makefile.am | 10 years ago | |
| Makefile.cvs | ||
| acsite.m4 | ||
| autogen.sh | ||
| classification.config | ||
| config.rpath | ||
| configure.ac | 9 years ago | |
| doxygen.cfg | ||
| reference.config | ||
| suricata.yaml.in | 9 years ago | |
| threshold.config | ||