[Oisf-users] Detecting HTTP clear text on port 443

Wed Feb 22 20:47:27 UTC 2017

Eric,
  Good catch.  That solved my issue.  

Any idea how I let someone know to update the wiki?

Thanks
Jeff

> On Feb 22, 2017, at 2:46 PM, Eric Leblond <eric at regit.org> wrote:
> 
> Hi,
> 
> On Wed, 2017-02-22 at 19:39 +0000, Collyer, Jeffrey W. (jwc3f) wrote:
>> I believe this rule was running under 3.2.0 but after upgrading to
>> 3.2.1, suricata is throwing errors on startup. Not sure if the
>> upgrade is just coincidence or not.
>> 
>> The rule is from the web page - https://redmine.openinfosecfoundation
>> .org/projects/suricata/wiki/Protocol_Anomalies_Detection
>> 
>> alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port
>> 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)
> 
> This does not look correct.
> 
>> and the errors are
>> 21/2/2017 -- 10:33:11 - <Info> - Running suricata under test mode
>> 21/2/2017 -- 10:33:11 - <Notice> - This is Suricata version 3.2.1
>> RELEASE
>> 21/2/2017 -- 10:33:11 - <Error> - [ERRCODE:
>> SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - Either we already have the
>> rule match on an app layer protocol set through other keywords that
>> match on this protocol, or have already seen a non-negated app-layer-
>> protocol.
> 
> Error make sense as the rule asks twice for http. Use instead:
> 
> alert tcp any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)
> 
> ++
> -- 
> Eric Leblond <eric at regit.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170222/79cd0224/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4939 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170222/79cd0224/attachment-0002.bin>