[Oisf-users] Can Suri detect protocols on non-standard ports?

Duane Howard duane.security at gmail.com
Tue Aug 19 15:04:02 UTC 2014


I'm still learning a bit about the Suricata engine, and it seems that
protocol inspection is done without defining ports for each protocol
(unlike snort and its individual preprocessors). I'm wondering if there's a
way to leverage this fact to alert on protocol usage on 'non-standard'
ports? Could you write a simple rule that said something like, alert when
the HTTP uri buffer is set on !HTTP_PORTS? or something similar? I'm
interested in tracking protocol anomalies to correlate with various other
alerts from other systems.

./d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140819/5b921452/attachment.html>


More information about the Oisf-users mailing list