Hello,
I am using suricata version 7.0.3.
I am working on testing two simple rules from Protocol Anomalies Detection - Suricata - Open Information Security Foundation namely
alert tcp any any → any !22 (msg:SURICATA SSH but not tcp port 22; flow:to_server; app-layer-protocol:ssh; sid:2271008; rev:1;)
alert tcp any any → any 22 (msg:SURICATA TCP port 22 but not SSH; flow:to_server; app-layer-protocol:!ssh; sid:2271009; rev:1;)
HOME_NET for Suricata installation is single VM. So in order to test first rule, I open putty, and change the port from 22 to 2222 and try to connect. I never get an alert.
If I use tcpdump by command “tcpdump -i eth0 port 2222”, I see following and nothing else.
01:24:57.798135 IP <my_machine_ip>.63809 > <Suricata_vm_ip>/IP-1: Flags [S], seq 768345230, win 65520, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
01:24:58.809548 IP <my_machine_ip>.63809 > <Suricata_vm_ip>/IP-1: Flags [S], seq 768345230, win 65520, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
01:25:00.811412 IP <my_machine_ip>.63809 > <Suricata_vm_ip>/IP-1: Flags [S], seq 768345230, win 65520, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
01:25:04.813173 IP <my_machine_ip>.63809 > <Suricata_vm_ip>/IP-1: Flags [S], seq 768345230, win 65520, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
01:25:12.825234 IP <my_machine_ip>.63809 > <Suricata_vm_ip>/IP-1: Flags [S], seq 768345230, win 65520, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
In this particular scenario, if communication does not proceed beyond SYN packet, how do I test the first rule?
Thanks in advance,
-Neel.