Bug #4921: detect/app-layer-protocol: unexpected results when one direction state "failed" - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4921

closed

detect/app-layer-protocol: unexpected results when one direction state "failed"

Added by Victor Julien almost 4 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When flow has alproto: http, but alproto_ts: failed, app-layer-protocol:http; or app-layer-protocol:!http; does not consider the "final" protocol, but instead only the alproto_ts.

This behavior isn't necessarily wrong, but there also needs to be a way to only consider the final protocol in this matching. Otherwise there is no reliable way to do something like

alert tcp any any -> any 80 (msg:"non-HTTP traffic over HTTP standard port"; flow:to_server; app-layer-protocol:!http; sid:1;)

Test case in https://github.com/OISF/suricata-verify/pull/615

I'm not entirely sure how to address this. Maybe we need to allow for an addition keyword parameter, e.g. something like:

app-layer-protocol:http,toserver; -> check alproto_ts
app-layer-protocol:http,final; -> check alproto
app-layer-protocol:http,both; -> check alproto_ts and alproto_tc

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4921

detect/app-layer-protocol: unexpected results when one direction state "failed"

Updated by Philippe Antoine over 2 years ago

Updated by Philippe Antoine over 2 years ago

Updated by Philippe Antoine over 1 year ago

Updated by Philippe Antoine over 1 year ago

Updated by Philippe Antoine over 1 year ago