Hi all, I hope this is simple but I couldn’t find a really exhaustive answer in the documentation. I’m using
to look for non-encrypted traffic on ports. I don’t seem to get any alerting if I use something like a lower grade SSL version. For version SSLv3. So, is my assumption correct that the app-layer-protocol definition of “tls” is any encrypted traffic? Or is it specifically looking for TLS and something like SSLv3 should generate an alert. In which case then I guess I have something else wrong.
For reference this is the complete rule I am testing:
alert tcp any any <> any 443 (msg:"TCP port 443 but not TLS"; flow:to_server,established; app-layer-protocol:!tls; sid:100; rev:1;)```