<div dir="ltr"><div class="markdown-here-wrapper" style=""><p style="margin:0px 0px 1.2em!important">Hello,<br>I’ve configured my firewall to mirror SSL-decrypted traffic to a server in which I’m running suricata 5.0</p>
<p style="margin:0px 0px 1.2em!important">I cannot trigger any alert on this type of traffic, even if using zeek or wireshark I can clearly see that the traffic is HTTP (but on port 443).</p>
<p style="margin:0px 0px 1.2em!important">In <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">suricata.yaml</code> I’ve added port 443 in HTTP_PORTS variable:</p>
<pre style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline;white-space:pre;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block!important">port-groups:
HTTP_PORTS: "[80,81,311,383, 443, ...]"
</code></pre><p style="margin:0px 0px 1.2em!important">Is this setting enough?<br>Is it possible that setting is in conflict with this one in the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">app-layer</code>?</p>
<pre style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline;white-space:pre;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block!important"> tls:
enabled: yes
detection-ports:
dp: 443
</code></pre><div title="MDH:SGVsbG8sPGRpdj5JJ3ZlIGNvbmZpZ3VyZWQgbXkgZmlyZXdhbGwgdG8gbWlycm9yIFNTTC1kZWNy
eXB0ZWQgdHJhZmZpYyB0byBhIHNlcnZlciBpbiB3aGljaCBJJ20gcnVubmluZyBzdXJpY2F0YSA1
LjA8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkkgY2Fubm90IHRyaWdnZXIgYW55IGFsZXJ0IG9u
IHRoaXMgdHlwZSBvZiB0cmFmZmljLCBldmVuIGlmIHVzaW5nIHplZWsgb3Igd2lyZXNoYXJrIEkg
Y2FuIGNsZWFybHkgc2VlIHRoYXQgdGhlIHRyYWZmaWMgaXMgSFRUUCAoYnV0IG9uIHBvcnQgNDQz
KS48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkluIGBzdXJpY2F0YS55YW1sYCBJJ3ZlIGFkZGVk
IHBvcnQgNDQzIGluIEhUVFBfUE9SVFMgdmFyaWFibGU6PC9kaXY+PGRpdj5gYGA8L2Rpdj48ZGl2
PnBvcnQtZ3JvdXBzOjxicj4mbmJzcDsgJm5ic3A7IEhUVFBfUE9SVFM6ICJbODAsODEsMzExLDM4
MywgNDQzLCAuLi5dIjwvZGl2PjxkaXY+PGRpdj5gYGA8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2
PklzIHRoaXMgc2V0dGluZyBlbm91Z2g/PC9kaXY+PGRpdj5JcyBpdCBwb3NzaWJsZSB0aGF0IHNl
dHRpbmcgaXMgaW4gY29uZmxpY3Qgd2l0aCB0aGlzIG9uZSBpbiB0aGUgYGFwcC1sYXllcmA/PC9k
aXY+PGRpdj5gYGA8L2Rpdj48ZGl2PiZuYnNwOyAmbmJzcDsgdGxzOjxicj4mbmJzcDsgJm5ic3A7
ICZuYnNwOyBlbmFibGVkOiB5ZXM8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZGV0ZWN0aW9uLXBv
cnRzOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZHA6IDQ0Mzxicj48L2Rpdj48ZGl2
PmBgYDwvZGl2PjwvZGl2Pg==" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0"></div></div><div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Federico Foschini.</div></div></div>