From be372ce39ddca13dc62224b52e2a48bd9b45c74d Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 25 Feb 2025 12:00:36 +0530 Subject: [PATCH] doc: explain priority port setting Ticket 7329 --- doc/userguide/configuration/suricata-yaml.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 24e782177c..37dff61acc 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -679,6 +679,9 @@ has values which can be managed by the user. inspection-recursion-limit: 3000 stream-tx-log-limit: 4 guess-applayer-tx: no + grouping: + tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + udp-priority-ports: 53, 135, 5060 At all of these options, you can add (or change) a value. Most signatures have the adjustment to focus on one direction, meaning @@ -724,6 +727,13 @@ app-layer keywords. If enabled, AND ONLY ONE LIVE TRANSACTION EXISTS, that transaction's data will be added to the alert metadata. Note that this may not be the expected data, from an analyst's perspective. +The ``grouping`` option allows user to define the most seen ports +on their network using ``tcp-priority-ports`` and ``udp-priority-ports`` +settings to benefit from the internal signature groups created by Suricata. +The engine shall then try to club the rules that use the ports defined +in groups of their own and put them on top of the list of rules to be matched +against traffic on "priority". + *Example 4 Detection-engine grouping tree* .. image:: suricata-yaml/grouping_tree.png -- 2.47.2