Bug #4921
opendetect/app-layer-protocol: unexpected results when one direction state "failed"
Description
When flow has alproto: http, but alproto_ts: failed, app-layer-protocol:http; or app-layer-protocol:!http; does not consider the "final" protocol, but instead only the alproto_ts.
This behavior isn't necessarily wrong, but there also needs to be a way to only consider the final protocol in this matching. Otherwise there is no reliable way to do something like
alert tcp any any -> any 80 (msg:"non-HTTP traffic over HTTP standard port"; flow:to_server; app-layer-protocol:!http; sid:1;)
Test case in https://github.com/OISF/suricata-verify/pull/615
I'm not entirely sure how to address this. Maybe we need to allow for an addition keyword parameter, e.g. something like:
app-layer-protocol:http,toserver; -> check alproto_tsapp-layer-protocol:http,final; -> check alprotoapp-layer-protocol:http,both; -> check alproto_ts and alproto_tc
Updated by Philippe Antoine about 1 year ago
Updated by Philippe Antoine 10 months ago
- Assignee set to OISF Dev
- Target version set to 8.0.0-beta1
Updated by Philippe Antoine 3 months ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Philippe Antoine 3 months ago
- Status changed from New to In Review