[Oisf-users] Does suricata have a facility for detecting non-SSL traffic on port 443?

Anoop Saldanha anoopsaldanha at gmail.com
Thu Aug 22 05:10:34 UTC 2013


Dan,

It would check/match against the protocol obtained from the suricata
protocol detection phase.  So the more robust the protocol detection,
greater the validity of the scheme.

On Thu, Aug 22, 2013 at 10:30 AM, Dan Murphy <dmurphy at defense.net> wrote:
> that sounds incredibly useful.  To expand on this a bit... If I were to do
> the following:
>
> alert tcp any any -> any any (app-layer-protocol:!http; sid:1;)
>
> What rules govern if it's actually http or not?  Is it full blown RFC
> compliance or just checking for some subset?
>
>
> Cheers,
> Dan
>
>
>
> On Thu, Aug 22, 2013 at 12:30 AM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> On Wed, Aug 21, 2013 at 9:58 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>> wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > See subject.  I know the TLS decoder can check for issues with certs and
>> > the SSL handshake, but I just want to know if a flow is *not* ssl at
>> > all.
>> >
>>
>> Suricata's protocol detection works regardless of the port the flow is on.
>>
>> Coming to detecting if a flow is not ssl, we will be introducing a
>> keyword shortly(work done, needs to be pushed) that would allow you to
>> write rules like
>>
>> alert tcp any any -> any any (app-layer-protocol:!tls; sid:1;)
>>
>> Which will match on flows as long as it is not tls.
>>
>> You can track it here -
>> https://redmine.openinfosecfoundation.org/issues/727
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------



More information about the Oisf-users mailing list