[Oisf-users] Does suricata have a facility for detecting non-SSL traffic on port 443?

Anoop Saldanha anoopsaldanha at gmail.com
Thu Aug 22 04:30:57 UTC 2013

On Wed, Aug 21, 2013 at 9:58 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> See subject.  I know the TLS decoder can check for issues with certs and
> the SSL handshake, but I just want to know if a flow is *not* ssl at all.

Suricata's protocol detection works regardless of the port the flow is on.

Coming to detecting if a flow is not ssl, we will be introducing a
keyword shortly(work done, needs to be pushed) that would allow you to
write rules like

alert tcp any any -> any any (app-layer-protocol:!tls; sid:1;)

Which will match on flows as long as it is not tls.

You can track it here - https://redmine.openinfosecfoundation.org/issues/727

Anoop Saldanha

More information about the Oisf-users mailing list