Hi all, I hope this is simple but I couldn’t find a really exhaustive answer in the documentation. I’m using
app-layer-protocol:!tls;
to look for non-encrypted traffic on ports. I don’t seem to get any alerting if I use something like a lower grade SSL version. For version SSLv3. So, is my assumption correct that the app-layer-protocol definition of “tls” is any encrypted traffic? Or is it specifically looking for TLS and something like SSLv3 should generate an alert. In which case then I guess I have something else wrong.
For reference this is the complete rule I am testing:
alert tcp any any <> any 443 (msg:"TCP port 443 but not TLS"; flow:to_server,established; app-layer-protocol:!tls; sid:100; rev:1;)```
Thanks for the response, I want to detect anything traversing the port that is not encrypted. I want to be ok with any level of encryption (that conversation is for another time). So I just want to understand what the “!tls” qualifies. It’s a little vague in the documentation and it seems from our testing that the rule as written there seems to match all forms of TLS and SSL. I want to make sure I understand that this is correct or if I have some error somewhere else.