[Oisf-users] app-layer detection-port question

Michał Purzyński michalpurzynski1 at gmail.com
Wed Feb 10 22:28:54 UTC 2016 

Does that mean Suricata will first decide "hmmm... smells like HTTP" and the try to confirm the guess with a probing parser?

Will the rule using the word http be allowed to match after the final protocol confirmation?

I'd like t understand how the whole logic works. Pointers to code welcome.

> On 10 Feb 2016, at 20:50, Victor Julien <lists at inliniac.net> wrote:
> 
>> On 10-02-16 18:05, Jason Holmes wrote:
>> Hi,
>> 
>> I want to make sure I understand the effect of the 'detection-port'
>> option in the app-layer config to rule matching.  If I have the
>> following app-layer config:
>> 
>> app-layer:
>>  protocols:
>>    tls:
>>      enabled: yes
>>      detection-ports:
>>        dp: 443
>> 
>> and I have a rule that starts with "alert tls":
>> 
>>  alert tls $EXTERNAL_NET any -> $HOME_NET any
>> 
>> does the rule only match on 443 because of the "dp: 443" option in the
>> app-layer setting?
>> 
>> If the tls config above omitted the detection-ports section, would the
>> detection ports be all ports?
> 
> Protocol detection has 2 distinct steps.
> 
> 1. a pattern based recognition. E.g. if a stream starts with GET|20|
> it's very likely HTTP. If the server response then starts with HTTP/ we
> can be sure about it.
> 
> This runs on all ports.
> 
> 2. a 'probing parser': this is a simplified parser that tries to
> validate the protocol.
> 
> This only runs on the port as configured in 'detection-ports'. This is
> because it's expensive to run this logic.
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

More information about the Oisf-users mailing list