[Oisf-users] app-layer detection-port question

Victor Julien lists at inliniac.net
Thu Feb 11 14:34:15 UTC 2016 

On 10-02-16 23:28, Michał Purzyński wrote:
> Does that mean Suricata will first decide "hmmm... smells like HTTP" and the try to confirm the guess with a probing parser?

If the pattern based detection succeeds, the probing parser is not
called. In some cases (like DNS) we have only a probing parser.

> Will the rule using the word http be allowed to match after the final protocol confirmation?

Yes.

> I'd like t understand how the whole logic works. Pointers to code welcome.

https://github.com/inliniac/suricata/blob/master/src/app-layer-detect-proto.c

Cheers,
Victor

>> On 10 Feb 2016, at 20:50, Victor Julien <lists at inliniac.net> wrote:
>>
>>> On 10-02-16 18:05, Jason Holmes wrote:
>>> Hi,
>>>
>>> I want to make sure I understand the effect of the 'detection-port'
>>> option in the app-layer config to rule matching.  If I have the
>>> following app-layer config:
>>>
>>> app-layer:
>>>  protocols:
>>>    tls:
>>>      enabled: yes
>>>      detection-ports:
>>>        dp: 443
>>>
>>> and I have a rule that starts with "alert tls":
>>>
>>>  alert tls $EXTERNAL_NET any -> $HOME_NET any
>>>
>>> does the rule only match on 443 because of the "dp: 443" option in the
>>> app-layer setting?
>>>
>>> If the tls config above omitted the detection-ports section, would the
>>> detection ports be all ports?
>>
>> Protocol detection has 2 distinct steps.
>>
>> 1. a pattern based recognition. E.g. if a stream starts with GET|20|
>> it's very likely HTTP. If the server response then starts with HTTP/ we
>> can be sure about it.
>>
>> This runs on all ports.
>>
>> 2. a 'probing parser': this is a simplified parser that tries to
>> validate the protocol.
>>
>> This only runs on the port as configured in 'detection-ports'. This is
>> because it's expensive to run this logic.
>>
>> -- 
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list