[Oisf-users] Detecting HTTP clear text on port 443

Collyer, Jeffrey W. (jwc3f) jwc3f at virginia.edu
Wed Feb 22 19:39:21 UTC 2017 

I believe this rule was running under 3.2.0 but after upgrading to 3.2.1, suricata is throwing errors on startup. Not sure if the upgrade is just coincidence or not.

The rule is from the web page - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Protocol_Anomalies_Detection <https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Protocol_Anomalies_Detection>

alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)

and the errors are
21/2/2017 -- 10:33:11 - <Info> - Running suricata under test mode
21/2/2017 -- 10:33:11 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 10:33:11 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - Either we already have the rule match on an app layer protocol set through other keywords that match on this protocol, or have already seen a non-negated app-layer-protocol.
21/2/2017 -- 10:33:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)" from file /etc/suricata/rules/dpd.rules at line 5
21/2/2017 -- 10:33:18 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

I’ve grepped through my rules files to try to find anything else with

app-layer-protocol:http

but I’ve come up with no matching rules.

For the time being I’ve just commented the rule out, but I’d like to get it working again if possible.  Anyone have any ideas or is using a similar rule without problems?

Jeffrey Collyer
Information Security Engineer
University of Virginia



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170222/97ad29b8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4939 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170222/97ad29b8/attachment.bin>

More information about the Oisf-users mailing list