Project

General

Profile

Actions

Bug #591

closed

Rule protocol 'ssl' unrecognized

Added by Digital Ninja about 12 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

From: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
"Protocol This keyword in a signature tells Suricata which protocol it concerns. You can choose between four settings. tcp (for tcp-traffic), udp, icm and ip. ip stands for 'all' or 'any'. Suricata adds a few protocols : http, ftp, ssl and tls (so-called application layer protocols or layer 7 protocols)."

Create signature:
alert ssl any any -> any any (msg:"SSL proto test"; flow:established; sid:23456;)

Test:
$ sudo suricata -T -l /tmp -S test.rules -c /etc/suricata/suricata.yaml -r https.cap

5/10/2012 -- 10:11:04 - <Info> - This is Suricata version 1.3.2 RELEASE
...
5/10/2012 -- 10:11:04 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_PROTOCOL(123)] - protocol "ssl" cannot be used in a signature

Actions #1

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.3.2 to 1.4

"ssl" doesn't work indeed, "tls" does work. It includes ssl2 and ssl3 as well.

Maybe we can just create an alias "ssl" or "ssl/tls" or something.

Actions #2

Updated by Anoop Saldanha about 12 years ago

creating an alias for ssl should work fine.

probably need to separate, with tls not matching on sslv2 and v23 and ssl matching against all, if it's used.

Actions #3

Updated by Victor Julien about 12 years ago

That would make sense indeed, although changing behaviour like that may break existing setups. So not sure I would want to go there.

Actions #4

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4 to TBD

I updated the doc to list tls only, and note that it includes ssl detection.

Actions #5

Updated by Andreas Herz almost 9 years ago

  • Status changed from New to Closed
Actions #6

Updated by Victor Julien about 7 years ago

  • Target version deleted (TBD)
Actions

Also available in: Atom PDF