Project

General

Profile

Actions

Documentation #6022

open

devguide: explain how the engine identifies applayer protocols

Added by Juliana Fajardini Reichow over 1 year ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Important/interesting questions to answer:
- How Suricata determines application layer protocols (e.g. HTTP, HTTPS, TLS, etc.)?
- Does every Suricata-supported protocol try to parse the packet? And if so, what happens when 2 protocols are parsed successfully?

Initial explanation:

There are 3 levels of detection
1) PM (pattern matching)
2) PP (probing parser)
3) PE (expectation based)

Explanation:

1 is preferred, it is a clear pattern in an expected place, e.g. "GET|20|" as the first 4 bytes mean HTTP
2 is running a dedicated parser on traffic to see what it thinks. Does this look like DNS? If so we consider it DNS. We lock these to ports by default.
3 expectations are set up by other parsers. We use this for ftp-data, as the control channel "knows" the flow that will contain the ftp data channel

Actions

Also available in: Atom PDF