
<div dir="ltr">that sounds incredibly useful.  To expand on this a bit... If I were to do the following:<div><br><div><span style="font-family:arial,sans-serif;font-size:13px">alert tcp any any -> any any (app-layer-protocol:!http; sid:1;)</span><br>

</div></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">What rules govern if it's actually http or not?  Is it full blown RFC compliance or just checking for some subset?</span></div>

<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Cheers,</span></div>

<div><span style="font-family:arial,sans-serif;font-size:13px">Dan</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">

On Thu, Aug 22, 2013 at 12:30 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div class="im">On Wed, Aug 21, 2013 at 9:58 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>

> -----BEGIN PGP SIGNED MESSAGE-----<br>

> Hash: SHA1<br>

><br>

> See subject.  I know the TLS decoder can check for issues with certs and<br>

> the SSL handshake, but I just want to know if a flow is *not* ssl at all.<br>

><br>

<br>

</div>Suricata's protocol detection works regardless of the port the flow is on.<br>

<br>

Coming to detecting if a flow is not ssl, we will be introducing a<br>

keyword shortly(work done, needs to be pushed) that would allow you to<br>

write rules like<br>

<br>

alert tcp any any -> any any (app-layer-protocol:!tls; sid:1;)<br>

<br>

Which will match on flows as long as it is not tls.<br>

<br>

You can track it here - <a href="https://redmine.openinfosecfoundation.org/issues/727" target="_blank">https://redmine.openinfosecfoundation.org/issues/727</a><br>

<span class="HOEnZb"><font color="#888888"><br>

--<br>

-------------------------------<br>

Anoop Saldanha<br>

<a href="http://www.poona.me" target="_blank">http://www.poona.me</a><br>

-------------------------------<br>

</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</div></div></blockquote></div><br></div>