[Oisf-users] app-layer detection-port question
Victor Julien
lists at inliniac.net
Wed Feb 10 19:50:00 UTC 2016
On 10-02-16 18:05, Jason Holmes wrote:
> Hi,
>
> I want to make sure I understand the effect of the 'detection-port'
> option in the app-layer config to rule matching. If I have the
> following app-layer config:
>
> app-layer:
> protocols:
> tls:
> enabled: yes
> detection-ports:
> dp: 443
>
> and I have a rule that starts with "alert tls":
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any
>
> does the rule only match on 443 because of the "dp: 443" option in the
> app-layer setting?
>
> If the tls config above omitted the detection-ports section, would the
> detection ports be all ports?
Protocol detection has 2 distinct steps.
1. a pattern based recognition. E.g. if a stream starts with GET|20|
it's very likely HTTP. If the server response then starts with HTTP/ we
can be sure about it.
This runs on all ports.
2. a 'probing parser': this is a simplified parser that tries to
validate the protocol.
This only runs on the port as configured in 'detection-ports'. This is
because it's expensive to run this logic.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list