Hello,
I’m fairly new to Suricata and I’m trying to run some basic tests.
I currently have several TCP/UDP rules that work as expected. However, when I use an application-layer protocol in a rule, it never fires.
For example, this rule works correctly :
alert tcp any any → any 22 (msg:“This is a tcp test”;sid:1001002;rev:1;)
But this one does not :
alert ssh any any → any 22 (msg:“This is an ssh test”;sid:1001003;rev:1;)
Does anyone have an idea what might be causing this? Let me know if you need additional information.
FYI :
- Suricata version : 8.0.2
- Installed via package manager
- OS : Debian 13
Also, when I do : suricata –dump-config | grep ssh
I get :
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
Not sure if this helps, but it may be relevant. 
Also, these rules never triggers in IDS mode but triggers when used manually on pcap :
suricata -r pcap_output.pcap (pcap of an ssh connection) will trigger the rule
And also the traffic arriving to the suricata server was mirrored via a network TAP before arriving to the server
Do you SSH events in your logs ?
alert tcp any any → any 22 (msg:“This is a tcp test”;sid:1001002;rev:1;)
This will trigger for a SYN packet
alert ssh any any → any 22 (msg:“This is an ssh test”;sid:1001003;rev:1;)
This will trigger only after the 3-way handshake if we have the SSH banner
Hello everyone,
I’ve made some progress and partially solved the issue! It came down to two main things:
-
Hardware: One of the cables from my TAP was accidentally plugged into a TX port on the Suricata server instead of an RX port.
-
Configuration: The livedev option was set to use-for-tracking: true. Since I’m monitoring multiple devices, I disabled it.
Current status: I’m still seeing an issue where application layer alerts (FTP, SSH, etc.) only trigger sometimes.
After checking my stats.log, I noticed a high count of tcp.pkt_on_wrong_thread.
Do you have a idea on what could be the root cause ?