[Oisf-users] Detecting Non SSL traffic over TCP 443
Cooper F. Nelson
cnelson at ucsd.edu
Wed Nov 26 23:15:51 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That works for others when run in IDS mode, so you may have found a
bug/feature. Maybe you could try running in IDS mode only as a sanity
check?
Like I said, the negation flag for the app-layer-protocol directive is a
new feature and its possible it wasn't tested fully in inline IPS mode.
As an aside, I personally would use a NGN firewall product like a Palo
Alto to enforce protocol controls like this.
- -Coop
On 11/26/2014 11:01 AM, Özkan KIRIK wrote:
> Hi,
>
> Now with "alert" action, it alerts for all traffic.
> When I browse "https://www.google.com." rule alerts.
>
> There is something wrong but i cannot catch.
>
> Thank you
>
> On Wed, Nov 26, 2014 at 8:54 PM, Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>> wrote:
>
> Does it work when its just an "alert" rule?
>
> The code to do this is relatively new and it may not work when used
> inline or as a drop rule, as it's tagging a flow vs. a specific packet.
>
> -Coop
>
> On 11/26/2014 10:35 AM, Özkan KIRIK wrote:
>> Hi,
>
>> I tried now. But It still matches both SSL and Non SSL traffic.
>> I am using Suricata 2.0 IPS mode on FreeBSD.
>
>> My exact rule is :
>> drop tcp any any -> any 443 (msg:"SURICATA Port 443 but not
>> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:991003;)
>
>> when this rule is actived, browsers cannot receive https certificates.
>
>> Any ideas ?
>> Thank you
>
>> On Wed, Nov 26, 2014 at 8:30 PM, Heine Lysemose <lysemose at gmail.com <mailto:lysemose at gmail.com>
>> <mailto:lysemose at gmail.com <mailto:lysemose at gmail.com>>> wrote:
>
>> Hi
>
>> This from a earlier post on the list
>
>> alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not SSL/TLS";
>> flow:to_server; app-layer-protocol:!tls; sid:991003;)
>
>> Regards,
>> Lysemose
>
>> On Nov 26, 2014 7:27 PM, "Özkan KIRIK" <ozkan.kirik at gmail.com <mailto:ozkan.kirik at gmail.com>
>> <mailto:ozkan.kirik at gmail.com <mailto:ozkan.kirik at gmail.com>>> wrote:
>
>> Hi,
>
>> I need a rule that detects Non SSL traffic over TCP 443 Port.
>
>> I tried this rule, but it matches both SSL and Non SSL traffic.
>> alert tcp any any -> any 443 (msg: "Non TLS / SSL traffic ";
>> app-layer-protocol:!tls;)
>
>> What is wrong with this rule?
>
>> Best Regards,
>
>> _______________________________________________
>> Suricata IDS Users mailing list:
>> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
>> <mailto:oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>>
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
>
>
>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
>
>
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUdl8nAAoJEKIFRYQsa8FWxZwH/06qJ9+kmkcfkklIJJLKkAhz
/URykRIWoTq67xmvjB4KsHoXp2WvHMB2tFB7BBig5WydadwQY2qncFE/RCICNIHe
El9beykOlv5lV+YNWzYiYfy4JD3yptSBF2+soddDeL9+jaQvjkuP9H4Gf3nir6V3
y9xNoxETrF3T1+VICDKi/RHgo4V9KfpBHnD/ROJQrqC59VhJAwyPZZ10pRXI81h3
TmDRKRtCTl/oM+gFjm2pIl8t9rbVQAss+Qe3JU6R2uELzyvxMshUfr8LYm1WATjh
MFXM315rt/f1ybAvCi7SoBtfunZlrer96a9UV0zoSr7nrGfKBXMhDTSzTaQhEnM=
=LaXD
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list