From f934247a64f5680b11f6a948c90a04e506492b64 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 25 Feb 2025 12:00:36 +0530 Subject: [PATCH] doc: explain priority port setting Ticket 7329 --- doc/userguide/configuration/suricata-yaml.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 24e782177c..37dff61acc 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -679,6 +679,9 @@ has values which can be managed by the user. inspection-recursion-limit: 3000 stream-tx-log-limit: 4 guess-applayer-tx: no + grouping: + tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + udp-priority-ports: 53, 135, 5060 At all of these options, you can add (or change) a value. Most signatures have the adjustment to focus on one direction, meaning @@ -724,6 +727,13 @@ app-layer keywords. If enabled, AND ONLY ONE LIVE TRANSACTION EXISTS, that transaction's data will be added to the alert metadata. Note that this may not be the expected data, from an analyst's perspective. +The ``grouping`` option allows user to define the most seen ports +on their network using ``tcp-priority-ports`` and ``udp-priority-ports`` +settings to benefit from the internal signature groups created by Suricata. +The engine shall then try to club the rules that use the ports defined +in groups of their own and put them on top of the list of rules to be matched +against traffic on "priority". + *Example 4 Detection-engine grouping tree* .. image:: suricata-yaml/grouping_tree.png