Adding new rule keywords to Suricata: Live coding session
HTML-код
- Опубликовано: 5 июл 2024
- Suricata rule keywords add more power to our rule language, and make the rule writers' life easier, by offering more ways of matching on network traffic content.
In Suricata's June 2023 webinar, we learn more about how to add new rule keywords to our detection engine, including:
Overview of the whole contribution process, from creating ticket, new branch, commits etc
Adding a new Suricata-verify test, taking advantage of existing ones to kickstart the process, and making sure to add a descriptive README file to them
Step by step on adding the new rule keyword to the Suricata engine, making usage of 'git grep' and previous git commits to speed up the process
Creating nice, informative Suricata-verify and Suricata pull requests to share your contribution with the team
Keywords added during the webinar:
flow.pkts_toclient
Flow.pkts_toserver
Check the RedMine ticket: redmine.openinfosecfoundation...
Audience: this content is great for those who have an interest in understanding how to add new rule keywords to Suricata; how to add suricata-verify tests for rule keywords; and, of course, how to properly keep all of that under version control while you are at it. Also great for Outreachy participants who would like to contribute to Suricata!
If you are a rule writer or threat hunter, this can be interesting for you, as well ;)
Get the presentation slides:
drive.google.com/file/d/1v-h5...
Speaker short bio:
Philippe is a member of the Suricata dev team. He's also the CEO and founder of Catena cyber. He aims to improve the cyberdefense level by freely developing tools for cybersecurity experts. He got his experience in cybersecurity and software development in ANSSI, the French national agency for cybersecurity, and LORIA, a research lab tackling malware, but also abroad: at MIT about bioinformatics and at Infineon in Munich, Germany, debugging VoIP drivers on embedded systems. He graduated from both Ecole Polytechnique and Telecom Paristech. 
Наука
Really cool! Thank's!
We're glad you liked it! If you have suggestions for other Suricata webinars, do let us know :)