[Oisf-users] Can Suri detect protocols on non-standard ports?

Cooper F. Nelson cnelson at ucsd.edu
Tue Aug 19 17:03:05 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes!  But I'm not positive of the syntax, I believe it's something like
this:

alert tcp any any -> any !HTTP_PORTS (app-layer-protocol:http; sid:1;)

Make sure you update the HTTP_PORTS variable in your suricata.yaml if
needed.

- -Coop

On 8/19/2014 8:04 AM, Duane Howard wrote:
> I'm still learning a bit about the Suricata engine, and it seems that
> protocol inspection is done without defining ports for each protocol
> (unlike snort and its individual preprocessors). I'm wondering if
> there's a way to leverage this fact to alert on protocol usage on
> 'non-standard' ports? Could you write a simple rule that said something
> like, alert when the HTTP uri buffer is set on !HTTP_PORTS? or something
> similar? I'm interested in tracking protocol anomalies to correlate with
> various other alerts from other systems.
> 
> ./d
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJT84NJAAoJEKIFRYQsa8FWMosH/2kUP7lDXk5Yu7TyIqCaYFxj
Ogc20wBo0CR5MXVnNkBnQLpC4yO7h5bFOrqdgZbN/R8XZeZZIY3A4aI75DcWmXEu
p6/dFiyk5AW+ECMKXTCRZhu4gMYmbe3f7tpXDQHZOHPUc2KcSta1IWzNr8j+nyF8
kspcamnv3vQyjV6LNF3RB99zn4u22Lbabkasox0pmNe1XeXtzhBafC7CRC306xDZ
lulHCc5YpdMlOlrTUaqQLyrqmObSA9+NTDjWYQ/VhfI/Heicovy3UdI6oM7T4xuL
PDl9RVdR9aXapOwB0oWGRTA9eHK1pXO8BPLyADiTon+63Ry3jj19srTYmPsz6n0=
=OswN
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list