[Oisf-users] Detecting Non SSL traffic over TCP 443

Cooper F. Nelson cnelson at ucsd.edu
Wed Nov 26 18:54:49 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does it work when its just an "alert" rule?

The code to do this is relatively new and it may not work when used
inline or as a drop rule, as it's tagging a flow vs. a specific packet.

- -Coop

On 11/26/2014 10:35 AM, Özkan KIRIK wrote:
> Hi,
> 
> I tried now. But It still matches both SSL and Non SSL traffic.
> I am using Suricata 2.0 IPS mode on FreeBSD.
> 
> My exact rule is : 
> drop tcp any any -> any 443 (msg:"SURICATA Port 443 but not
> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:991003;)
> 
> when this rule is actived, browsers cannot receive https certificates.
> 
> Any ideas ?
> Thank you
> 
> On Wed, Nov 26, 2014 at 8:30 PM, Heine Lysemose <lysemose at gmail.com
> <mailto:lysemose at gmail.com>> wrote:
> 
>     Hi
> 
>     This from a earlier post on the list
> 
>     alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";
>     flow:to_server; app-layer-protocol:!tls; sid:991003;)
> 
>     Regards,
>     Lysemose
> 
>     On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <ozkan.kirik at gmail.com
>     <mailto:ozkan.kirik at gmail.com>> wrote:
> 
>         Hi,
> 
>         I need a rule that detects Non SSL traffic over TCP 443 Port.
> 
>         I tried this rule, but it matches both SSL and Non SSL traffic.
>         alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic ";
>         app-layer-protocol:!tls;)
> 
>         What is wrong with this rule?
> 
>         Best Regards,
> 
>         _______________________________________________
>         Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         <mailto:oisf-users at openinfosecfoundation.org>
>         Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>         List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>         Training now available: http://suricata-ids.org/training/
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUdiH5AAoJEKIFRYQsa8FWvGMIAJCIs5rbYREsue8T4DCtJxx+
0ipZmDapdkIMJfm27eGGg6dKU7D0D16NGrUKZCBb2sUHz7xSJpS/p0OqHrWOwlac
HNM7X79QNgPAl8Z/s35qu5WVMmHNgvIIaVL9hSx6ofsQCusARPhmQl4qHCQ2X6Yj
TSD1IrlF6mXcgH8K67RjcQ5/Q9EGmPw6uepKXBe7Rc7OVL0Shju3xbwH4bWnvxh1
2iJv5ux9zBgXIIIhAP3IgxkhLANZQZacR/Sizwv8wN7FG9NLCLvo7dcbQaCAVA9H
PPA/EFNEQS6t5W626pxcgS0eWlUI2c2qtuNw+sgEaGZUpZuE8tkYrO4kzLoDxMA=
=gUQv
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list