aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: remove references to prehistoric versions

Browse Source 
Remove references that are mentioning Suricata 3 or less
As a note - only one Suricata 4 reference found:
(suricata-yaml.rst:"In 4.1.x")
Fast pattern selection criteria can be internally found by inspecting
SupportFastPatternForSigMatchList and SigTableSetup functions.

Ticket: #6570
pull/10204/head
Lukas Sismis 2 years ago committed by Victor Julien
parent 2a2898053c
commit 6e4cc79b39
3 changed files with 17 additions and 76 deletions
Show Stats Download Patch File Download Diff File

17
doc/userguide/configuration/suricata-yaml.rst
Unescape Escape View File

@ -643,9 +643,9 @@ For setting the option sgh-mpm-context, you can choose from auto, full
or single. The default setting is 'auto', meaning Suricata selects or single. The default setting is 'auto', meaning Suricata selects
full or single based on the algorithm you use. 'Full' means that every full or single based on the algorithm you use. 'Full' means that every
group has its own MPM-context, and 'single' that all groups share one group has its own MPM-context, and 'single' that all groups share one
MPM-context. The two algorithms ac and ac-gfbs are new in 1.03. These MPM-context. The algorithm "ac" uses a single MPM-context if the
algorithms use a single MPM-context if the Sgh-MPM-context setting is Sgh-MPM-context setting is 'auto'. The rest of the algorithms use full
'auto'. The rest of the algorithms use full in that case. in that case.
The inspection-recursion-limit option has to mitigate that possible The inspection-recursion-limit option has to mitigate that possible
bugs in Suricata cause big problems. Often Suricata has to deal with bugs in Suricata cause big problems. Often Suricata has to deal with
@ -1287,7 +1287,7 @@ the default behavior).
Each supported protocol has a dedicated subsection under ``protocols``. Each supported protocol has a dedicated subsection under ``protocols``.
Asn1_max_frames (new in 1.0.3 and 1.1) Asn1_max_frames
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Asn1 (`Abstract Syntax One Asn1 (`Abstract Syntax One
@ -1860,14 +1860,15 @@ Default Log Format
~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
A logging line exists of two parts. First it displays meta information A logging line exists of two parts. First it displays meta information
(thread id, date etc.), and finally the actual log message. Example: (Log-level, Suricata module), and finally the actual log message. Example:
:: ::
[27708] 15/10/2010 -- 11:40:07 - (suricata.c:425) <Info> (main) This is Suricata version 1.0.2 i: suricata: This is Suricata version 7.0.2 RELEASE running in USER mode
(Here the part until the is the meta info, "This is Suricata 1.0.2" (Here the part until the second `:` is the meta info,
is the actual message.) "This is Suricata version 7.0.2 RELEASE running in USER mode" is the actual
message.)
It is possible to determine which information will be displayed in It is possible to determine which information will be displayed in
this line and (the manner how it will be displayed) in which format it this line and (the manner how it will be displayed) in which format it

2
doc/userguide/output/custom-http-logging.rst
Unescape Escape View File

@ -1,8 +1,6 @@
Custom http logging Custom http logging
=================== ===================
As of Suricata 1.3.1 you can enable a custom http logging option.
In your Suricata.yaml, find the http-log section and edit as follows: In your Suricata.yaml, find the http-log section and edit as follows:

74
doc/userguide/rules/fast-pattern-explained.rst
Unescape Escape View File

@ -17,25 +17,23 @@ The fast_pattern selection criteria are as follows:
#. Suricata first identifies all content matches that have the highest #. Suricata first identifies all content matches that have the highest
"priority" that are used in the signature. The priority is based "priority" that are used in the signature. The priority is based
off of the buffer being matched on and generally 'http_*' buffers off of the buffer being matched on and generally application layer buffers
have a higher priority (lower number is higher priority). See have a higher priority (lower number is higher priority). The buffer
:ref:`Appendix B <fast-pattern-explained-appendix-b>` for details `http_method` is an exception and has lower priority than the general
on which buffers have what priority. `content` buffer.
#. Within the content matches identified in step 1 (the highest #. Within the content matches identified in step 1 (the highest
priority content matches), the longest (in terms of character/byte priority content matches), the longest (in terms of character/byte
length) content match is used as the fast pattern match. length) content match is used as the fast pattern match.
#. If multiple content matches have the same highest priority and #. If multiple content matches have the same highest priority and
qualify for the longest length, the one with the highest qualify for the longest length, the one with the highest
character/byte diversity score ("Pattern Strength") is used as the character/byte diversity score ("Pattern Strength") is used as the
fast pattern match. See :ref:`Appendix C fast pattern match. See :ref:`Appendix A
<fast-pattern-explained-appendix-c>` for details on the algorithm <fast-pattern-explained-appendix-a>` for details on the algorithm
used to determine Pattern Strength. used to determine Pattern Strength.
#. If multiple content matches have the same highest priority, qualify #. If multiple content matches have the same highest priority, qualify
for the longest length, and the same highest Pattern Strength, the for the longest length, and the same highest Pattern Strength, the
buffer ("list_id") that was *registered last* is used as the fast buffer ("list_id") that was *registered last* is used as the fast
pattern match. See :ref:`Appendix B pattern match.
<fast-pattern-explained-appendix-b>` for the registration order of
the different buffers/lists.
#. If multiple content matches have the same highest priority, qualify #. If multiple content matches have the same highest priority, qualify
for the longest length, the same highest Pattern Strength, and have for the longest length, the same highest Pattern Strength, and have
the same list_id (i.e. are looking in the same buffer), then the the same list_id (i.e. are looking in the same buffer), then the
@ -52,63 +50,7 @@ Appendices
.. _fast-pattern-explained-appendix-a: .. _fast-pattern-explained-appendix-a:
Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4 Appendix A - Pattern Strength Algorithm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This should be pretty much the same for Suricata 1.1.x - 1.4.x.
======= ============================== ======================== ==================
list_id Content Modifier Keyword Buffer Name Registration Order
======= ============================== ======================== ==================
1 <none> (regular content match) DETECT_SM_LIST_PMATCH 1 (first)
2 http_uri DETECT_SM_LIST_UMATCH 2
6 http_client_body DETECT_SM_LIST_HCBDMATCH 3
7 http_server_body DETECT_SM_LIST_HSBDMATCH 4
8 http_header DETECT_SM_LIST_HHDMATCH 5
9 http_raw_header DETECT_SM_LIST_HRHDMATCH 6
10 http_method DETECT_SM_LIST_HMDMATCH 7
11 http_cookie DETECT_SM_LIST_HCDMATCH 8
12 http_raw_uri DETECT_SM_LIST_HRUDMATCH 9
13 http_stat_msg DETECT_SM_LIST_HSMDMATCH 10
14 http_stat_code DETECT_SM_LIST_HSCDMATCH 11
15 http_user_agent DETECT_SM_LIST_HUADMATCH 12 (last)
======= ============================== ======================== ==================
Note: registration order doesn't matter when it comes to determining the fast pattern match for Suricata 1.3.4 but list_id value does.
.. _fast-pattern-explained-appendix-b:
Appendix B - Buffers, list_id values, Priorities, and Registration Order for Suricata 2.0.7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This should be pretty much the same for Suricata 2.0.x.
========================================== ================== ============================== ============================= =======
Priority (lower number is higher priority) Registration Order Content Modifier Keyword Buffer Name list_id
========================================== ================== ============================== ============================= =======
3 11 <none> (regular content match) DETECT_SM_LIST_PMATCH 1
3 12 http_method DETECT_SM_LIST_HMDMATCH 12
3 13 http_stat_code DETECT_SM_LIST_HSCDMATCH 9
3 14 http_stat_msg DETECT_SM_LIST_HSMDMATCH 8
2 1 (first) http_client_body DETECT_SM_LIST_HCBDMATCH 4
2 2 http_server_body DETECT_SM_LIST_HSBDMATCH 5
2 3 http_header DETECT_SM_LIST_HHDMATCH 6
2 4 http_raw_header DETECT_SM_LIST_HRHDMATCH 7
2 5 http_uri DETECT_SM_LIST_UMATCH 2
2 6 http_raw_uri DETECT_SM_LIST_HRUDMATCH 3
2 7 http_host DETECT_SM_LIST_HHHDMATCH 10
2 8 http_raw_host DETECT_SM_LIST_HRHHDMATCH 11
2 9 http_cookie DETECT_SM_LIST_HCDMATCH 13
2 10 http_user_agent DETECT_SM_LIST_HUADMATCH 14
2 15 (last) dns_query DETECT_SM_LIST_DNSQUERY_MATCH 20
========================================== ================== ============================== ============================= =======
Note: list_id value doesn't matter when it comes to determining the
fast pattern match for Suricata 2.0.7 but registration order does.
.. _fast-pattern-explained-appendix-c:
Appendix C - Pattern Strength Algorithm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From detect-engine-mpm.c. Basically the Pattern Strength "score" From detect-engine-mpm.c. Basically the Pattern Strength "score"

Write Preview
Loading…
Cancel
Save