These are used by rules. A rule may look something like alert http any any -> any $HTTP_PORTS ... This is the basic starting point of tuning the rules to your environment. If you run HTTP servers on other ports, you should add them, likewise for other services.
Hello,
Thank you so much for your reply.
1- I read it. If I like, I can enter the IP address of the operating system on which Suricata-IDS is installed in the appropriate place. For example, If Suricata-IDS is installed on a Linux host, then:
host-os-policy:
linux: [My_Suricata-IDS_Host_IP]
Am I right?
2- Are things like HTTP_PORTS, SHELLCODE_PORTS and etc. the same as variable? I mean, I can rename HTTP_PORTS to APACHE_PORTS, then write the rule like this:
This is about hosts you are protecting. Not the host running Suricata. If you are monitoring Linux and Windows hosts, you could break them out here so different re-assembly policies are applied. AFAIK, most users do not change this from the defaults.
You could change them, but rules from rule providers are going to depend on some of these variables to be set. If you change their names, you’re likely to break rules.