<div dir="ltr">that sounds incredibly useful.  To expand on this a bit... If I were to do the following:<div><br><div><span style="font-family:arial,sans-serif;font-size:13px">alert tcp any any -> any any (app-layer-protocol:!http; sid:1;)</span><br>
</div></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">What rules govern if it's actually http or not?  Is it full blown RFC compliance or just checking for some subset?</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Cheers,</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">Dan</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Aug 22, 2013 at 12:30 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Wed, Aug 21, 2013 at 9:58 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> See subject.  I know the TLS decoder can check for issues with certs and<br>
> the SSL handshake, but I just want to know if a flow is *not* ssl at all.<br>
><br>
<br>
</div>Suricata's protocol detection works regardless of the port the flow is on.<br>
<br>
Coming to detecting if a flow is not ssl, we will be introducing a<br>
keyword shortly(work done, needs to be pushed) that would allow you to<br>
write rules like<br>
<br>
alert tcp any any -> any any (app-layer-protocol:!tls; sid:1;)<br>
<br>
Which will match on flows as long as it is not tls.<br>
<br>
You can track it here - <a href="https://redmine.openinfosecfoundation.org/issues/727" target="_blank">https://redmine.openinfosecfoundation.org/issues/727</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
-------------------------------<br>
Anoop Saldanha<br>
<a href="http://www.poona.me" target="_blank">http://www.poona.me</a><br>
-------------------------------<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>