[Oisf-users] app-layer detection-port question
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Feb 10 22:28:54 UTC 2016
Does that mean Suricata will first decide "hmmm... smells like HTTP" and the try to confirm the guess with a probing parser?
Will the rule using the word http be allowed to match after the final protocol confirmation?
I'd like t understand how the whole logic works. Pointers to code welcome.
> On 10 Feb 2016, at 20:50, Victor Julien <lists at inliniac.net> wrote:
>
>> On 10-02-16 18:05, Jason Holmes wrote:
>> Hi,
>>
>> I want to make sure I understand the effect of the 'detection-port'
>> option in the app-layer config to rule matching. If I have the
>> following app-layer config:
>>
>> app-layer:
>> protocols:
>> tls:
>> enabled: yes
>> detection-ports:
>> dp: 443
>>
>> and I have a rule that starts with "alert tls":
>>
>> alert tls $EXTERNAL_NET any -> $HOME_NET any
>>
>> does the rule only match on 443 because of the "dp: 443" option in the
>> app-layer setting?
>>
>> If the tls config above omitted the detection-ports section, would the
>> detection ports be all ports?
>
> Protocol detection has 2 distinct steps.
>
> 1. a pattern based recognition. E.g. if a stream starts with GET|20|
> it's very likely HTTP. If the server response then starts with HTTP/ we
> can be sure about it.
>
> This runs on all ports.
>
> 2. a 'probing parser': this is a simplified parser that tries to
> validate the protocol.
>
> This only runs on the port as configured in 'detection-ports'. This is
> because it's expensive to run this logic.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
More information about the Oisf-users
mailing list