git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Thu, 27 Mar 2014 15:13:08 +0000 (16:13 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 17 Apr 2014 13:32:25 +0000 (15:32 +0200)
commit	eae5b1ba3513d25b5484f1be8a30dfc360fe92b6
tree	03401dab3aaef786f19178a1dfc7e010f98f0270	tree
parent	7b0f1e9512f638e5e78ce3267d75b726433e3397	commit \| diff

app-layer: proto detection update

Instead of the notion of toserver and toclient protocol detection, use
destination port and source port.

Independent of the data direction, the flow's port settings will be used
to find the correct probing parser, where we first try the dest port,
and if that fails the source port.

Update the configuration file format, where toserver is replaced by 'dp'
and toclient by 'sp'. Toserver is intrepreted as 'dp' and toclient as
'sp' for backwards compatibility.

Example for dns:

    dns:
      # memcaps. Globally and per flow/state.
      #global-memcap: 16mb
      #state-memcap: 512kb

      # How many unreplied DNS requests are considered a flood.
      # If the limit is reached, app-layer-event:dns.flooded; will match.
      #request-flood: 500

      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53

Like before, progress of protocol detection is tracked per flow direction.

Bug #1142.

src/app-layer-detect-proto.c		diff \| blob \| blame \| history
suricata.yaml.in		diff \| blob \| blame \| history