<div dir="ltr">I second that<br><br><a href="https://gist.github.com/mpurzynski/3d1c17b53ed0f46effde4de426d2385d">https://gist.github.com/mpurzynski/3d1c17b53ed0f46effde4de426d2385d<br></a><br><br><br>On Mon, Nov 27, 2017 at 5:42 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>><br>> I use these to good effect...<br>><br>> > alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443<br>> > outbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;<br>> > prefilter; sid:8;)<br>> > alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"LOCAL Port 443<br>> > inbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;<br>> > prefilter; sid:9;)<br>><br>> On 11/27/2017 8:26 AM, erik clark wrote:<br>> > My question is, is there a fast way to say "This isn't tls on a tls<br>> > port" without mucking around with bytes at given offsets and<br>> > whathaveyou? It is clearly not tls, so I would think suri has a way to<br>> > inspect for that?<br>><br>><br>> --<br>> Cooper Nelson<br>> Network Security Analyst<br>> UCSD ITS Security Team<br>> <a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>><br>><br>><br>> _______________________________________________<br>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>> Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>><br>> Conference: <a href="https://suricon.net">https://suricon.net</a><br>> Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></div>