Suricata XDP code has been tested with 4.13.10 but 4.15 or later is necessary to use all
features like the CPU redirect map.
-If you are using an Intel netword card, you will need to stay with in tree kernel NIC drivers.
+If you are using an Intel network card, you will need to stay with in tree kernel NIC drivers.
The out of tree drivers do not contain the XDP support.
Having a network card with support for RSS symmetric hashing is a good point or you will have to
When applied to a specific signature, thresholds and event_filters
(threshold from now on) will override the signature setting. This can
be useful for when the default in a signature doesn't suit your
-evironment.
+environment.
::
Basic steps::
- tar xzvf suricata-4.1.0.tar.gz
+ tar xzvf suricata-4.1.2.tar.gz
cd suricata-4.1.0
./configure
make
Match on packets that have been reassembled by the stream engine.
no_stream
Match on packets that have not been reassembled by the stream
- engine. Will not match packets that have been reeassembled.
+ engine. Will not match packets that have been reassembled.
only_frag
Match packets that have been reassembled from fragments.
no_frag
----------
Inspect the start of a HTTP request or response. This will contain the
-request/reponse line plus the request/response headers. Use flow:to_server
+request/response line plus the request/response headers. Use flow:to_server
or flow:to_client to force inspection of request or response.
Example::
changing it has no technical implications. You can only notice it in
the alert.
-Example of gid in an alert of fast.log. In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev).
+Example of gid in an alert of fast.log. In the part [1:2008124:2], 1 is the gid (2008124 is the sid and 2 the rev).
.. container:: example-rule
metadata
--------
-The meatadata keyword allows additional, non-functional information to
+The metadata keyword allows additional, non-functional information to
be added to the signature. While the format is free-form, it is
recommended to stick to key, value pairs as Suricata can include these
in eve alerts. The format is::
distance:-10; sid:9000000; rev:1;)
You see ``content:!”Firefox/3.6.13”;``. This means an alert will be
-generated if the the used version of Firefox is not 3.6.13.
+generated if the used version of Firefox is not 3.6.13.
.. note:: The following characters must be escaped inside the content:
``;`` ``\`` ``"``
tls.subject:"CN=*.googleusercontent.com"
-Case sensitve, can't use 'nocase'.
+Case sensitive, can't use 'nocase'.
Legacy keyword. ``tls_cert_subject`` is the replacement.
tls.issuerdn:!"CN=Google-Internet-Authority"
-Case sensitve, can't use 'nocase'.
+Case sensitive, can't use 'nocase'.
Legacy keyword. ``tls_cert_issuer`` is the replacement.
projects / thirdparty / suricata.git / commitdiff
