[Oisf-users] app-layer detection-port question

Victor Julien lists at inliniac.net
Wed Feb 10 19:50:00 UTC 2016

On 10-02-16 18:05, Jason Holmes wrote:
> Hi,
> I want to make sure I understand the effect of the 'detection-port'
> option in the app-layer config to rule matching.  If I have the
> following app-layer config:
> app-layer:
>   protocols:
>     tls:
>       enabled: yes
>       detection-ports:
>         dp: 443
> and I have a rule that starts with "alert tls":
>   alert tls $EXTERNAL_NET any -> $HOME_NET any
> does the rule only match on 443 because of the "dp: 443" option in the
> app-layer setting?
> If the tls config above omitted the detection-ports section, would the
> detection ports be all ports?

Protocol detection has 2 distinct steps.

1. a pattern based recognition. E.g. if a stream starts with GET|20|
it's very likely HTTP. If the server response then starts with HTTP/ we
can be sure about it.

This runs on all ports.

2. a 'probing parser': this is a simplified parser that tries to
validate the protocol.

This only runs on the port as configured in 'detection-ports'. This is
because it's expensive to run this logic.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list