<div dir="ltr">I'm still learning a bit about the Suricata engine, and it seems that protocol inspection is done without defining ports for each protocol (unlike snort and its individual preprocessors). I'm wondering if there's a way to leverage this fact to alert on protocol usage on 'non-standard' ports? Could you write a simple rule that said something like, alert when the HTTP uri buffer is set on !HTTP_PORTS? or something similar? I'm interested in tracking protocol anomalies to correlate with various other alerts from other systems.<div>
<br></div><div>./d</div></div>