From: Shivani Bhardwaj Date: Tue, 25 Feb 2025 06:30:36 +0000 (+0530) Subject: doc: explain priority port setting X-Git-Tag: suricata-8.0.0-beta1~258 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be372ce39ddca13dc62224b52e2a48bd9b45c74d;p=thirdparty%2Fsuricata.git doc: explain priority port setting Ticket 7329 --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 24e782177c..37dff61acc 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -679,6 +679,9 @@ has values which can be managed by the user. inspection-recursion-limit: 3000 stream-tx-log-limit: 4 guess-applayer-tx: no + grouping: + tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + udp-priority-ports: 53, 135, 5060 At all of these options, you can add (or change) a value. Most signatures have the adjustment to focus on one direction, meaning @@ -724,6 +727,13 @@ app-layer keywords. If enabled, AND ONLY ONE LIVE TRANSACTION EXISTS, that transaction's data will be added to the alert metadata. Note that this may not be the expected data, from an analyst's perspective. +The ``grouping`` option allows user to define the most seen ports +on their network using ``tcp-priority-ports`` and ``udp-priority-ports`` +settings to benefit from the internal signature groups created by Suricata. +The engine shall then try to club the rules that use the ports defined +in groups of their own and put them on top of the list of rules to be matched +against traffic on "priority". + *Example 4 Detection-engine grouping tree* .. image:: suricata-yaml/grouping_tree.png