Annual Developer Training in Paris – September 2016

This year’s annual developer training event (September 12 – 16, 2016 in Paris, France) will teach you how to extend Suricata’s features and functionalities. You will also have direct access to the Suricata’s developers for questions and help.

Want know more?  Check out the agenda:

Each day each of the major topics below will be started with a lecture, then a walk through followed by an exercise. During the days there will be plenty of time for questions and discussion.

Day 1

  • Introduction into Suricata development… we will go into development tools and procedures. We will give a high-level overview of the Suricata architecture, of debugging techniques, QA, etc.
  • Building a packet decoder – packet decoders are low-level parsers for L2, L3 and L4 protocols. Think about ethernet, vlan, IP or TCP.

Day 2

  • Creating a simple detection module – simple low-level detection keywords that inspects properties of individual packets. Such keywords are used to inspect fields like TCP flags. As an extension of this, we’ll look into the Lua detection API.
  • App Layer – the app layer API is the primary way of dealing with L7 protocols such as HTTP, TLS, etc. These parsers run on top of TCP (with stream reassembly) and UDP. The API has many aspects so we’ll spend quite a bit of time on this.

Day 3

  • App Layer Decoder – implement a basic parser, hook it into the engine and take care of things like memory management, transaction handling, error handling, exception handling. Reporting on bad & non-compliant traffic.

Day 4

  • App Layer Logger – dive into the logging API, with hooking a logger for the new protocol parser into the EVE json output. Additionally, exposing the new protocol to the Lua output API.
  • App Layer Detection – when parsing a protocol often the goal is to expose parts of it to the detection engine. This is about hooking the detection logic into the engine. It will also address things like normalization of data.

Day 5

  • Detection keywords using string/array buffers can be hooked into the Multi Pattern Matcher (MPM) engine for optimal performance.
  • Awesome Q&A Session !


Who should come? Attendees are expected to have C coding experience and at least a basic understanding of what Suricata does and how to run it.

What should I bring? Bring a laptop which can be connected to wired and wifi networks, and that has VirtualBox installed. The trainers will provide a VirtualBox image for development and QA. Make sure you have sufficient permissions on the laptop for setting up a new virtual machine.

What if I already attended last year? The Copenhagen edition of the development training worked with the Suricata 3.0 development branch. The Paris edition will work with the 3.2 development branch.

Some of the key differences what will be addressed:

  • locking changes (simplification)
  • general API updates and changes
  • App layer API updates
  • MPM keywords API has been introduced
  • QA updates


Register before July 15th and receive a $500 discount – Early Bird Registration