<div dir="ltr">Thanks Michal, Cooper. This is exactly what I wanted. I did not know about app-layer filtering. Teach a man to fish and all that.<div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 27, 2017 at 11:53 AM, Michał Purzyński <span dir="ltr"><<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I second that<br><br><a href="https://gist.github.com/mpurzynski/3d1c17b53ed0f46effde4de426d2385d" target="_blank">https://gist.github.com/<wbr>mpurzynski/<wbr>3d1c17b53ed0f46effde4de426d238<wbr>5d<br></a><div><div class="h5"><br><br><br>On Mon, Nov 27, 2017 at 5:42 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>> wrote:<br>><br>> I use these to good effect...<br>><br>> > alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443<br>> > outbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;<br>> > prefilter; sid:8;)<br>> > alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"LOCAL Port 443<br>> > inbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;<br>> > prefilter; sid:9;)<br>><br>> On 11/27/2017 8:26 AM, erik clark wrote:<br>> > My question is, is there a fast way to say "This isn't tls on a tls<br>> > port" without mucking around with bytes at given offsets and<br>> > whathaveyou? It is clearly not tls, so I would think suri has a way to<br>> > inspect for that?<br>><br>><br>> --<br>> Cooper Nelson<br>> Network Security Analyst<br>> UCSD ITS Security Team<br>> <a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>><br>><br>><br></div></div>> ______________________________<wbr>_________________<br>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a><br>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>><br>> Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>> Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr>training/</a></div>
</blockquote></div><br></div>