[Oisf-users] Detecting Non SSL traffic over TCP 443
Özkan KIRIK
ozkan.kirik at gmail.com
Wed Nov 26 19:01:33 UTC 2014
Hi,
Now with "alert" action, it alerts for all traffic.
When I browse "https://www.google.com." rule alerts.
There is something wrong but i cannot catch.
Thank you
On Wed, Nov 26, 2014 at 8:54 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Does it work when its just an "alert" rule?
>
> The code to do this is relatively new and it may not work when used
> inline or as a drop rule, as it's tagging a flow vs. a specific packet.
>
> - -Coop
>
> On 11/26/2014 10:35 AM, Özkan KIRIK wrote:
> > Hi,
> >
> > I tried now. But It still matches both SSL and Non SSL traffic.
> > I am using Suricata 2.0 IPS mode on FreeBSD.
> >
> > My exact rule is :
> > drop tcp any any -> any 443 (msg:"SURICATA Port 443 but not
> > SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:991003;)
> >
> > when this rule is actived, browsers cannot receive https certificates.
> >
> > Any ideas ?
> > Thank you
> >
> > On Wed, Nov 26, 2014 at 8:30 PM, Heine Lysemose <lysemose at gmail.com
> > <mailto:lysemose at gmail.com>> wrote:
> >
> > Hi
> >
> > This from a earlier post on the list
> >
> > alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not
> SSL/TLS";
> > flow:to_server; app-layer-protocol:!tls; sid:991003;)
> >
> > Regards,
> > Lysemose
> >
> > On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <ozkan.kirik at gmail.com
> > <mailto:ozkan.kirik at gmail.com>> wrote:
> >
> > Hi,
> >
> > I need a rule that detects Non SSL traffic over TCP 443 Port.
> >
> > I tried this rule, but it matches both SSL and Non SSL traffic.
> > alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic ";
> > app-layer-protocol:!tls;)
> >
> > What is wrong with this rule?
> >
> > Best Regards,
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org
> > <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> >
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJUdiH5AAoJEKIFRYQsa8FWvGMIAJCIs5rbYREsue8T4DCtJxx+
> 0ipZmDapdkIMJfm27eGGg6dKU7D0D16NGrUKZCBb2sUHz7xSJpS/p0OqHrWOwlac
> HNM7X79QNgPAl8Z/s35qu5WVMmHNgvIIaVL9hSx6ofsQCusARPhmQl4qHCQ2X6Yj
> TSD1IrlF6mXcgH8K67RjcQ5/Q9EGmPw6uepKXBe7Rc7OVL0Shju3xbwH4bWnvxh1
> 2iJv5ux9zBgXIIIhAP3IgxkhLANZQZacR/Sizwv8wN7FG9NLCLvo7dcbQaCAVA9H
> PPA/EFNEQS6t5W626pxcgS0eWlUI2c2qtuNw+sgEaGZUpZuE8tkYrO4kzLoDxMA=
> =gUQv
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141126/431b8bcc/attachment-0002.html>
More information about the Oisf-users
mailing list