[Oisf-users] Does suricata have a facility for detecting non-SSL traffic on port 443?

Dan Murphy dmurphy at defense.net
Thu Aug 22 05:00:00 UTC 2013


that sounds incredibly useful.  To expand on this a bit... If I were to do
the following:

alert tcp any any -> any any (app-layer-protocol:!http; sid:1;)

What rules govern if it's actually http or not?  Is it full blown RFC
compliance or just checking for some subset?


Cheers,
Dan



On Thu, Aug 22, 2013 at 12:30 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> On Wed, Aug 21, 2013 at 9:58 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > See subject.  I know the TLS decoder can check for issues with certs and
> > the SSL handshake, but I just want to know if a flow is *not* ssl at all.
> >
>
> Suricata's protocol detection works regardless of the port the flow is on.
>
> Coming to detecting if a flow is not ssl, we will be introducing a
> keyword shortly(work done, needs to be pushed) that would allow you to
> write rules like
>
> alert tcp any any -> any any (app-layer-protocol:!tls; sid:1;)
>
> Which will match on flows as long as it is not tls.
>
> You can track it here -
> https://redmine.openinfosecfoundation.org/issues/727
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130822/b611e2b4/attachment-0002.html>


More information about the Oisf-users mailing list