<div dir="ltr">Hi, <div><br></div><div>Now with "alert" action, it alerts for all traffic.</div><div>When I browse "<a href="https://www.google.com">https://www.google.com</a>."  rule alerts.</div><div><br></div><div>There is something wrong but i cannot catch.</div><div><br></div><div>Thank you</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 26, 2014 at 8:54 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Does it work when its just an "alert" rule?<br>
<br>
The code to do this is relatively new and it may not work when used<br>
inline or as a drop rule, as it's tagging a flow vs. a specific packet.<br>
<br>
- -Coop<br>
<span class=""><br>
On 11/26/2014 10:35 AM, Özkan KIRIK wrote:<br>
> Hi,<br>
><br>
> I tried now. But It still matches both SSL and Non SSL traffic.<br>
> I am using Suricata 2.0 IPS mode on FreeBSD.<br>
><br>
> My exact rule is :<br>
> drop tcp any any -> any 443 (msg:"SURICATA Port 443 but not<br>
> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:991003;)<br>
><br>
> when this rule is actived, browsers cannot receive https certificates.<br>
><br>
> Any ideas ?<br>
> Thank you<br>
><br>
> On Wed, Nov 26, 2014 at 8:30 PM, Heine Lysemose <<a href="mailto:lysemose@gmail.com">lysemose@gmail.com</a><br>
</span><span class="">> <mailto:<a href="mailto:lysemose@gmail.com">lysemose@gmail.com</a>>> wrote:<br>
><br>
>     Hi<br>
><br>
>     This from a earlier post on the list<br>
><br>
>     alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";<br>
>     flow:to_server; app-layer-protocol:!tls; sid:991003;)<br>
><br>
>     Regards,<br>
>     Lysemose<br>
><br>
>     On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a><br>
</span><span class="">>     <mailto:<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a>>> wrote:<br>
><br>
>         Hi,<br>
><br>
>         I need a rule that detects Non SSL traffic over TCP 443 Port.<br>
><br>
>         I tried this rule, but it matches both SSL and Non SSL traffic.<br>
>         alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic ";<br>
>         app-layer-protocol:!tls;)<br>
><br>
>         What is wrong with this rule?<br>
><br>
>         Best Regards,<br>
><br>
>         _______________________________________________<br>
>         Suricata IDS Users mailing list:<br>
>         <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
</span>>         <mailto:<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>><br>
<span class="">>         Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
>         <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>         List:<br>
>         <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>         Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
><br>
<br>
<br>
</span>- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJUdiH5AAoJEKIFRYQsa8FWvGMIAJCIs5rbYREsue8T4DCtJxx+<br>
0ipZmDapdkIMJfm27eGGg6dKU7D0D16NGrUKZCBb2sUHz7xSJpS/p0OqHrWOwlac<br>
HNM7X79QNgPAl8Z/s35qu5WVMmHNgvIIaVL9hSx6ofsQCusARPhmQl4qHCQ2X6Yj<br>
TSD1IrlF6mXcgH8K67RjcQ5/Q9EGmPw6uepKXBe7Rc7OVL0Shju3xbwH4bWnvxh1<br>
2iJv5ux9zBgXIIIhAP3IgxkhLANZQZacR/Sizwv8wN7FG9NLCLvo7dcbQaCAVA9H<br>
PPA/EFNEQS6t5W626pxcgS0eWlUI2c2qtuNw+sgEaGZUpZuE8tkYrO4kzLoDxMA=<br>
=gUQv<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>