Project

General

Profile

Suricata » Suricata Developers Guide »

AppLayerYaml

App layer part of the YAML. Different possible layouts.

These currently live under:

app-layer:
  protocols:

Considerations:
  1. limit nesting levels. YAML is unforgiving with syntax errors.
  2. enable/disable each protocol and it's proto detection code
  3. KISS
  4. we could consider using 'include' for app layer, although that really only moves the problem around

1. tree where ipproto is the root

app-layer:
  tcp:
    tls:
      enabled: yes
      detection-ports:
        toserver: 443
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        toserver: 139
    dns:
       enabled: yes
       detection-ports:
         toserver: 53
    http:
      enabled: yes
  udp:
    dns:
      enabled: yes
      detection-ports:
        toserver: 53

2. alproto is root, for multi ipproto cases we split out under the alproto

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        toserver: 443
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        toserver: 139
    dns:
      tcp:
        enabled: yes
        detection-ports:
          toserver: 53
      udp:
        enabled: yes
        detection-ports:
          toserver: 53
    http:
      enabled: yes

3. alproto is root, for multi ipproto cases we just split alproto

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        tcp:
          toserver: 443
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        tcp:
          toserver: 139
    dns-tcp:
       enabled: yes
       detection-ports:
         tcp:
           toserver: 53
    dns-udp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
    http:
      enabled: yes