Documentation #6022
opendevguide: explain how the engine identifies applayer protocols
Description
Important/interesting questions to answer:
- How Suricata determines application layer protocols (e.g. HTTP, HTTPS, TLS, etc.)?
- Does every Suricata-supported protocol try to parse the packet? And if so, what happens when 2 protocols are parsed successfully?
Initial explanation:
There are 3 levels of detection
1) PM (pattern matching)
2) PP (probing parser)
3) PE (expectation based)
Explanation:
1 is preferred, it is a clear pattern in an expected place, e.g. "GET|20|" as the first 4 bytes mean HTTP
2 is running a dedicated parser on traffic to see what it thinks. Does this look like DNS? If so we consider it DNS. We lock these to ports by default.
3 expectations are set up by other parsers. We use this for ftp-data, as the control channel "knows" the flow that will contain the ftp data channel