Detecting https-tunneled ssh traffic

Hello Suricata community,

I am trying to write a rule that detects ssh traffic that is tunneled in https traffic with the program stunnel. I’ve found out that the datalength that is send from the ssh-client to the ssh-server is always the same in every transmitted https-packet, so I will count the occurrences of https packets within a certain time-window having the certain datalength using the dsize attribute.

My problem is that Suricata does not recognize this tls traffic at all. For testing purposes I’ve written the generic rule:

alert tls any any -> any any (“msg: tls traffic detected”; sid:10000011;)

Connections to public https-capable websites are being detected. But the tunneled ssh traffic is not recognized. I’ve checked the wireshark output of the ssh-server and the ssh communication is indeed tunneled in https-packets but no alerts are raised. Does anybody know why this rule fails in my situation? I use suricata in pfsense.

Thank you!

Now it works. I don’t know what was the issue. But now I have the problem that the dsize attribute does not match the packets. I tried to use length value that wireshark shows me.

Do you have a pcap for that?
You could try to run it on a dedicated system with -r to exclude any issue with the pfsense configuration.

I have the same issue of ‘dsize’.

from suricata guide,