[Oisf-users] Detecting Non SSL traffic over TCP 443
Özkan KIRIK
ozkan.kirik at gmail.com
Wed Nov 26 18:35:40 UTC 2014
Hi,
I tried now. But It still matches both SSL and Non SSL traffic.
I am using Suricata 2.0 IPS mode on FreeBSD.
My exact rule is :
drop tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";
flow:to_server;
app-layer-protocol:!tls; sid:991003;)
when this rule is actived, browsers cannot receive https certificates.
Any ideas ?
Thank you
On Wed, Nov 26, 2014 at 8:30 PM, Heine Lysemose <lysemose at gmail.com> wrote:
> Hi
>
> This from a earlier post on the list
>
> alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";
> flow:to_server; app-layer-protocol:!tls; sid:991003;)
>
> Regards,
> Lysemose
> On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <ozkan.kirik at gmail.com> wrote:
>
>> Hi,
>>
>> I need a rule that detects Non SSL traffic over TCP 443 Port.
>>
>> I tried this rule, but it matches both SSL and Non SSL traffic.
>> alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic ";
>> app-layer-protocol:!tls;)
>>
>> What is wrong with this rule?
>>
>> Best Regards,
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141126/6735b770/attachment-0002.html>
More information about the Oisf-users
mailing list