
<div dir="ltr">Hi, <div><br></div><div>Now with "alert" action, it alerts for all traffic.</div><div>When I browse "<a href="https://www.google.com">https://www.google.com</a>."  rule alerts.</div><div><br></div><div>There is something wrong but i cannot catch.</div><div><br></div><div>Thank you</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 26, 2014 at 8:54 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

Does it work when its just an "alert" rule?<br>

<br>

The code to do this is relatively new and it may not work when used<br>

inline or as a drop rule, as it's tagging a flow vs. a specific packet.<br>

<br>

- -Coop<br>

<span class=""><br>

On 11/26/2014 10:35 AM, Özkan KIRIK wrote:<br>

> Hi,<br>

><br>

> I tried now. But It still matches both SSL and Non SSL traffic.<br>

> I am using Suricata 2.0 IPS mode on FreeBSD.<br>

><br>

> My exact rule is :<br>

> drop tcp any any -> any 443 (msg:"SURICATA Port 443 but not<br>

> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:991003;)<br>

><br>

> when this rule is actived, browsers cannot receive https certificates.<br>

><br>

> Any ideas ?<br>

> Thank you<br>

><br>

> On Wed, Nov 26, 2014 at 8:30 PM, Heine Lysemose <<a href="mailto:lysemose@gmail.com">lysemose@gmail.com</a><br>

</span><span class="">> <mailto:<a href="mailto:lysemose@gmail.com">lysemose@gmail.com</a>>> wrote:<br>

><br>

>     Hi<br>

><br>

>     This from a earlier post on the list<br>

><br>

>     alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";<br>

>     flow:to_server; app-layer-protocol:!tls; sid:991003;)<br>

><br>

>     Regards,<br>

>     Lysemose<br>

><br>

>     On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a><br>

</span><span class="">>     <mailto:<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a>>> wrote:<br>

><br>

>         Hi,<br>

><br>

>         I need a rule that detects Non SSL traffic over TCP 443 Port.<br>

><br>

>         I tried this rule, but it matches both SSL and Non SSL traffic.<br>

>         alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic ";<br>

>         app-layer-protocol:!tls;)<br>

><br>

>         What is wrong with this rule?<br>

><br>

>         Best Regards,<br>

><br>

>         _______________________________________________<br>

>         Suricata IDS Users mailing list:<br>

>         <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

</span>>         <mailto:<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>><br>

<span class="">>         Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>

>         <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

>         List:<br>

>         <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

>         Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>

><br>

><br>

><br>

><br>

> _______________________________________________<br>

> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>

><br>

<br>

<br>

</span>- --<br>

Cooper Nelson<br>

Network Security Analyst<br>

UCSD ACT Security Team<br>

<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v2.0.17 (MingW32)<br>

<br>

iQEcBAEBAgAGBQJUdiH5AAoJEKIFRYQsa8FWvGMIAJCIs5rbYREsue8T4DCtJxx+<br>

0ipZmDapdkIMJfm27eGGg6dKU7D0D16NGrUKZCBb2sUHz7xSJpS/p0OqHrWOwlac<br>

HNM7X79QNgPAl8Z/s35qu5WVMmHNgvIIaVL9hSx6ofsQCusARPhmQl4qHCQ2X6Yj<br>

TSD1IrlF6mXcgH8K67RjcQ5/Q9EGmPw6uepKXBe7Rc7OVL0Shju3xbwH4bWnvxh1<br>

2iJv5ux9zBgXIIIhAP3IgxkhLANZQZacR/Sizwv8wN7FG9NLCLvo7dcbQaCAVA9H<br>

PPA/EFNEQS6t5W626pxcgS0eWlUI2c2qtuNw+sgEaGZUpZuE8tkYrO4kzLoDxMA=<br>

=gUQv<br>

-----END PGP SIGNATURE-----<br>

</blockquote></div><br></div>