[Oisf-users] Recently started getting Applayer protocol alerts

Orion Poplawski orion at nwra.com
Fri Jan 25 18:44:45 UTC 2019

On 1/25/19 2:39 AM, Peter Manev wrote:
> On Tue, Jan 22, 2019 at 9:50 PM Orion Poplawski <orion at nwra.com> wrote:
>> We're running suricata (4.1.2_1 and 4.0.13_6) on our pfSense boxes.  Recently
>> (about the 12th or 13th it seems) we've started getting lots of "SURICATA
>> Applayer Mismatch protocol both directions" and "SURICATA Applayer Detect
>> protocol only one direction" alerts.
>> Most of the "one direction" alerts seem to be for SMTP traffic - which
>> according to https://suricata.readthedocs.io/en/latest/rules/app-layer.html is
>> expected.  Any reason not to exclude ports 25, 465, 587 from these rules?
> you can try excluding it and see/feedback how it goes?

Okay, I'm trying with the following custom rule instead:

alert ip any ![25,465,587] -> any any (msg:"SURICATA Applayer Detect protocol
only one direction (non-SMTP)"; flow:established;
flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode;
sid:324000010; rev:1;)

it does look like it immediately dropped the detections.  I'll let it run for
a while.

>> Most of the "both directions" messages seem to be for SMB port 445 traffic.
>> Did something change recently for this kind of traffic?

After looking at things a bit closer, it seems like these alerts are only
coming from the suricata 4.0.13 machines - so perhaps there was an issue that
was fixed later, or that this rule is not appropriate for that version of

Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the Oisf-users mailing list