Question about port-groups and vpn configuration


New suricata user here! Having a fun time configuring suricata on my workstation. Learning a whole bunch!

I am running a VPN and have a question about the configuration. Unfortunately I’m not to experienced in networking and am in need of some help.

What are the ports under port-groups? Are these the selected ports that are being included in monitoring?


The values in the port-groups section are “variables”. The variables are substituted as rules are parsed and loaded. If a rule doesn’t refer to them, then they’re not used.

Here’s an example rule snippet that refers to 3 DNP rule variables:

alert tcp $DNP3_SERVER $DNP3_PORTS -> $DNP3_CLIENT any ( .... ) 
1 Like