Bug #591
closedRule protocol 'ssl' unrecognized
Description
From: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
"Protocol This keyword in a signature tells Suricata which protocol it concerns. You can choose between four settings. tcp (for tcp-traffic), udp, icm and ip. ip stands for 'all' or 'any'. Suricata adds a few protocols : http, ftp, ssl and tls (so-called application layer protocols or layer 7 protocols)."
Create signature:
alert ssl any any -> any any (msg:"SSL proto test"; flow:established; sid:23456;)
Test:
$ sudo suricata -T -l /tmp -S test.rules -c /etc/suricata/suricata.yaml -r https.cap
5/10/2012 -- 10:11:04 - <Info> - This is Suricata version 1.3.2 RELEASE
...
5/10/2012 -- 10:11:04 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_PROTOCOL(123)] - protocol "ssl" cannot be used in a signature
Updated by Victor Julien over 11 years ago
- Target version changed from 1.3.2 to 1.4
"ssl" doesn't work indeed, "tls" does work. It includes ssl2 and ssl3 as well.
Maybe we can just create an alias "ssl" or "ssl/tls" or something.
Updated by Anoop Saldanha over 11 years ago
creating an alias for ssl should work fine.
probably need to separate, with tls not matching on sslv2 and v23 and ssl matching against all, if it's used.
Updated by Victor Julien over 11 years ago
That would make sense indeed, although changing behaviour like that may break existing setups. So not sure I would want to go there.
Updated by Victor Julien over 11 years ago
- Target version changed from 1.4 to TBD
I updated the doc to list tls only, and note that it includes ssl detection.