[Oisf-users] Can Suri detect protocols on non-standard ports?

Victor Julien lists at inliniac.net
Tue Aug 19 17:21:13 UTC 2014 

On 08/19/2014 07:03 PM, Cooper F. Nelson wrote:
> Yes!  But I'm not positive of the syntax, I believe it's something like
> this:
> 
> alert tcp any any -> any !HTTP_PORTS (app-layer-protocol:http; sid:1;)
> 
> Make sure you update the HTTP_PORTS variable in your suricata.yaml if
> needed.

I've been having good results with this set:

# tcp
alert tcp any any -> any any (msg:"SURICATA PROTO DETECT mismatch";
app-layer-event: applayer_mismatch_protocol_both_directions; sid:990001;)
alert tcp any any -> any any (msg:"SURICATA PROTO DETECT only one
direction detected"; app-layer-event:
applayer_detect_protocol_only_one_direction; sid:990002;)
alert tcp any any -> any any (msg:"SURICATA PROTO DETECT first data in
wrong direction"; app-layer-event: applayer_wrong_direction_first_data;
sid:990003;)
alert tcp any any -> any any (msg:"SURICATA PROTO DETECT proto detect
skipped"; app-layer-event: applayer_proto_detection_skipped; sid:990004;)

# udp
alert udp any any -> any any (msg:"SURICATA PROTO DETECT mismatch";
app-layer-event: applayer_mismatch_protocol_both_directions; sid:990005;)
alert udp any any -> any any (msg:"SURICATA PROTO DETECT only one
direction detected"; app-layer-event:
applayer_detect_protocol_only_one_direction; sid:990006;)
alert udp any any -> any any (msg:"SURICATA PROTO DETECT first data in
wrong direction"; app-layer-event: applayer_wrong_direction_first_data;
sid:990007;)
alert udp any any -> any any (msg:"SURICATA PROTO DETECT proto detect
skipped"; app-layer-event: applayer_proto_detection_skipped; sid:990008;)

# traffic on std protocol ports not recognized
alert tcp any any -> any 80 (msg:"SURICATA Port 80 but not HTTP";
flow:to_server; app-layer-protocol:!http; sid:991001;)
alert tcp any any -> any 25 (msg:"SURICATA Port 25 but not SMTP";
flow:to_server; app-layer-protocol:!smtp; sid:991002;)
alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";
flow:to_server; app-layer-protocol:!tls; sid:991003;)
alert tcp any any -> any 993 (msg:"SURICATA Port 993 but not SSL/TLS";
flow:to_server; app-layer-protocol:!tls; sid:991007;)
alert tcp any any -> any 53 (msg:"SURICATA Port tcp/53 but not DNS";
flow:to_server; app-layer-protocol:!dns; sid:991004;)
alert udp any any -> any 53 (msg:"SURICATA Port udp/53 but not DNS";
flow:to_server; app-layer-protocol:!dns; sid:991005;)
alert tcp any any -> any 22 (msg:"SURICATA Port 22 but not SSH";
flow:to_server; app-layer-protocol:!ssh; sid:991006;)

# protocols on non-std ports
alert tcp any any -> any !80 (msg:"SURICATA HTTP not port 80";
flow:to_server; app-layer-protocol:http; sid:992001;)
alert tcp any any -> any ![25,587] (msg:"SURICATA SMTP not port 25";
flow:to_server; app-layer-protocol:smtp; sid:992002;)
alert tcp any any -> any ![443,465,993,995,5223,5228,6697]
(msg:"SURICATA SSL/TLS on unexpected port"; flow:to_server;
app-layer-protocol:tls; sid:992003;)
alert tcp any any -> any !53 (msg:"SURICATA DNS not tcp/53";
flow:to_server; app-layer-protocol:dns; sid:992004;)
alert udp any any -> any !53 (msg:"SURICATA DNS not udp/53 but not DNS";
flow:to_server; app-layer-protocol:dns; sid:992005;)
alert tcp any any -> any !22 (msg:"SURICATA SSH not on port 22";
flow:to_server; app-layer-protocol:ssh; sid:992006;)

# IPS, enforce
drop tcp any any -> any 80 (msg:"SURICATA DROP Port 80 but not HTTP";
flow:to_server; app-layer-protocol:!http; sid:993001;)
drop tcp any any -> any 443 (msg:"SURICATA DROP Port 443 but not
SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993002;)
drop tcp any any -> any 993 (msg:"SURICATA DROP Port 993 but not
SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993003;)


> -Coop
> 
> On 8/19/2014 8:04 AM, Duane Howard wrote:
>> I'm still learning a bit about the Suricata engine, and it seems that
>> protocol inspection is done without defining ports for each protocol
>> (unlike snort and its individual preprocessors). I'm wondering if
>> there's a way to leverage this fact to alert on protocol usage on
>> 'non-standard' ports? Could you write a simple rule that said something
>> like, alert when the HTTP uri buffer is set on !HTTP_PORTS? or something
>> similar? I'm interested in tracking protocol anomalies to correlate with
>> various other alerts from other systems.


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list