Decode, stream, app-layer event rules


I just downloaded the ET-open rules and to my surprise I do not see any decode-event, stream-event and app-layer-event rules which used to be available in earlier rulesets. Is there any recent changes and specific reason to remove those rules? Basically I want to check all protocol anomaly check/decoder events for my traffic so thought of using these rules. Any suggestions…


It seems these rules are shipped with source code itself and handled as different events. Am I correct?

There are some rules in the ET set that use those options but because configurations vary so widely, we don’t tend to use them.

I believe to look at protocol anomaly type traffic the SURICATA rules that are available would be good for that. (i.e. suricata/rules at master · OISF/suricata · GitHub). I am not sure offhand if they are enabled by default though.


The event rules are part of Suricata itself, yes. You can enable them solely or alongside with the ET set for example.

Thanks Andreas. That means any new such events will come with next suricata release and not as daily updates.

No, since they’re (mostly) not related to specific attacks but more targeted towards issues within the traffic itself.