Hello Suricata community,
I am trying to write a rule that detects ssh traffic that is tunneled in https traffic with the program stunnel. I’ve found out that the datalength that is send from the ssh-client to the ssh-server is always the same in every transmitted https-packet, so I will count the occurrences of https packets within a certain time-window having the certain datalength using the dsize attribute.
My problem is that Suricata does not recognize this tls traffic at all. For testing purposes I’ve written the generic rule:
alert tls any any -> any any (“msg: tls traffic detected”; sid:10000011;)
Connections to public https-capable websites are being detected. But the tunneled ssh traffic is not recognized. I’ve checked the wireshark output of the ssh-server and the ssh communication is indeed tunneled in https-packets but no alerts are raised. Does anybody know why this rule fails in my situation? I use suricata in pfsense.