Ssh and http protocol rule not work

Please include the following information with your help request:

  • Suricata version Suricata version 7.0.4 RELEASE
  • Operating system and/or Linux distribution Ubuntu20.04(Linux devbox 5.15.0-101-generic #111~20.04.1-Ubuntu SMP Mon Mar 11 15:44:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)
  • How you installed Suricata (from source, packages, something else) install with apt

Hi, I deploy suricata on my multi NIC machine: enp1s0 for control, enp2s0 and enp4s0 is ips interface.

I found that app-layer.protocol rule not work such as http and ssh.

When I configure rule like this, I can not get alert in fast.log

alert http any any → any any (msg: “http >>>”; sid:1000002;)
alert ssh any any → any any (msg: “SSH Login SSH”; sid:1000003;)

If I configure rule like this, I can get alert in fast.log
alert tcp any any → any 22 (msg: “SSH Login TCP”; sid:1000005;)

My suricata.yaml is

I found this topic, but it not work for me:

Any ideas for this issue? thanks :cold_sweat:

I have a question that suricata running as IPS at Layer 2, can it app-layer analysis?

Can you provide a pcap? In general it should work, so must be something specific to your network traffic.

log.pcap.1714201599.pcap (128.7 KB)

Sure Herz, Here is My pcap file, thank you. I paste my config file here also.

suricata.yaml (77.7 KB)