doc: explain priority port setting

Ticket 7329

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 24e782177cfc3427872fb2b859c536c569c5dc35..37dff61acc228d93f2bbd1f6c1a1df2a2dff2eca 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -679,6 +679,9 @@ has values which can be managed by the user.
     inspection-recursion-limit: 3000
     stream-tx-log-limit: 4
     guess-applayer-tx: no
+    grouping:
+      tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
+      udp-priority-ports: 53, 135, 5060
 
 At all of these options, you can add (or change) a value. Most
 signatures have the adjustment to focus on one direction, meaning
@@ -724,6 +727,13 @@ app-layer keywords. If enabled, AND ONLY ONE LIVE TRANSACTION EXISTS, that
 transaction's data will be added to the alert metadata. Note that this may not
 be the expected data, from an analyst's perspective.
 
+The ``grouping`` option allows user to define the most seen ports
+on their network using ``tcp-priority-ports`` and ``udp-priority-ports``
+settings to benefit from the internal signature groups created by Suricata.
+The engine shall then try to club the rules that use the ports defined
+in groups of their own and put them on top of the list of rules to be matched
+against traffic on "priority".
+
 *Example 4     Detection-engine grouping tree*
 
 .. image:: suricata-yaml/grouping_tree.png