Ssh and http protocol rule not work

Help
1

Please include the following information with your help request:

  • Suricata version Suricata version 7.0.4 RELEASE
  • Operating system and/or Linux distribution Ubuntu20.04(Linux devbox 5.15.0-101-generic #111~20.04.1-Ubuntu SMP Mon Mar 11 15:44:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)
  • How you installed Suricata (from source, packages, something else) install with apt

Hi, I deploy suricata on my multi NIC machine: enp1s0 for control, enp2s0 and enp4s0 is ips interface.

I found that app-layer.protocol rule not work such as http and ssh.

When I configure rule like this, I can not get alert in fast.log

alert http any any → any any (msg: “http >>>”; sid:1000002;)
alert ssh any any → any any (msg: “SSH Login SSH”; sid:1000003;)

If I configure rule like this, I can get alert in fast.log
alert tcp any any → any 22 (msg: “SSH Login TCP”; sid:1000005;)

My suricata.yaml is https://paste.ubuntu.com/p/PXKf8t5DK2/

I found this topic, but it not work for me: https://forum.suricata.io/t/ssh-rule-not-working/3293/14

Any ideas for this issue? thanks :cold_sweat:

2

I have a question that suricata running as IPS at Layer 2, can it app-layer analysis?

3

Can you provide a pcap? In general it should work, so must be something specific to your network traffic.

4

log.pcap.1714201599.pcap (128.7 KB)

Sure Herz, Here is My pcap file, thank you. I paste my config file here also.

suricata.yaml (77.7 KB)

5

I did run your pcap against Suricata 7.0.6 with basic settings and both SSH signatures match, the HTTP one doesn’t match since there is no HTTP traffic inside (AFAIK).

Could you do a test run with the pcap, use the -r option and check if you see alerts.

How do you run Suricata, please post the run command and also the suricata.log