<p dir="ltr">Hi</p>
<p dir="ltr">This from a earlier post on the list</p>
<p dir="ltr">alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";<br>
flow:to_server; app-layer-protocol:!tls; sid:991003;)</p>
<p dir="ltr">Regards, <br>
Lysemose </p>
<div class="gmail_quote">On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I need a rule that detects Non SSL traffic over TCP 443 Port.</div><div><br></div><div>I tried this rule, but it matches both SSL and Non SSL traffic.</div><div>alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic "; app-layer-protocol:!tls;)<br></div><div><br></div><div>What is wrong with this rule?</div><div><br></div><div>Best Regards,</div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br></blockquote></div>