[Oisf-users] Detecting HTTP clear text on port 443
Eric Leblond
eric at regit.org
Wed Feb 22 19:46:14 UTC 2017
Hi,
On Wed, 2017-02-22 at 19:39 +0000, Collyer, Jeffrey W. (jwc3f) wrote:
> I believe this rule was running under 3.2.0 but after upgrading to
> 3.2.1, suricata is throwing errors on startup. Not sure if the
> upgrade is just coincidence or not.
>
> The rule is from the web page - https://redmine.openinfosecfoundation
> .org/projects/suricata/wiki/Protocol_Anomalies_Detection
>
> alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port
> 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)
This does not look correct.
> and the errors are
> 21/2/2017 -- 10:33:11 - <Info> - Running suricata under test mode
> 21/2/2017 -- 10:33:11 - <Notice> - This is Suricata version 3.2.1
> RELEASE
> 21/2/2017 -- 10:33:11 - <Error> - [ERRCODE:
> SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - Either we already have the
> rule match on an app layer protocol set through other keywords that
> match on this protocol, or have already seen a non-negated app-layer-
> protocol.
Error make sense as the rule asks twice for http. Use instead:
alert tcp any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)
++
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list