Ssh and http protocol rule not work

equator8848 · April 6, 2024, 4:31pm

Please include the following information with your help request:

Suricata version Suricata version 7.0.4 RELEASE

Operating system and/or Linux distribution Ubuntu20.04(Linux devbox 5.15.0-101-generic #111~20.04.1-Ubuntu SMP Mon Mar 11 15:44:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)

How you installed Suricata (from source, packages, something else) install with apt

Hi, I deploy suricata on my multi NIC machine: enp1s0 for control, enp2s0 and enp4s0 is ips interface.

I found that app-layer.protocol rule not work such as http and ssh.

When I configure rule like this, I can not get alert in fast.log

alert http any any → any any (msg: “http >>>”; sid:1000002;)
alert ssh any any → any any (msg: “SSH Login SSH”; sid:1000003;)

If I configure rule like this, I can get alert in fast.log
alert tcp any any → any 22 (msg: “SSH Login TCP”; sid:1000005;)

My suricata.yaml is https://paste.ubuntu.com/p/PXKf8t5DK2/

I found this topic, but it not work for me: https://forum.suricata.io/t/ssh-rule-not-working/3293/14

Any ideas for this issue? thanks

equator8848 · April 7, 2024, 12:08am

I have a question that suricata running as IPS at Layer 2, can it app-layer analysis?

Andreas_Herz · April 25, 2024, 7:03pm

Can you provide a pcap? In general it should work, so must be something specific to your network traffic.

equator8848 · April 27, 2024, 7:11am

log.pcap.1714201599.pcap (128.7 KB)

Sure Herz, Here is My pcap file, thank you. I paste my config file here also.

suricata.yaml (77.7 KB)

Topic		Replies	Views
Testing ssh related rules Rules rules	1	74	April 4, 2024
Rule using http does not matching get request Rules	2	1025	January 18, 2022
Rules for SSH under root Rules rules , suricata	2	198	April 11, 2024
Suricata rule is not dropping SSH connections Rules	1	1177	November 27, 2021
Suricata pass rule not working Rules	16	3626	April 28, 2022

Ssh and http protocol rule not work

Related Topics