Bug #4921
closeddetect/app-layer-protocol: unexpected results when one direction state "failed"
Description
When flow has alproto: http
, but alproto_ts: failed
, app-layer-protocol:http;
or app-layer-protocol:!http;
does not consider the "final" protocol, but instead only the alproto_ts
.
This behavior isn't necessarily wrong, but there also needs to be a way to only consider the final protocol in this matching. Otherwise there is no reliable way to do something like
alert tcp any any -> any 80 (msg:"non-HTTP traffic over HTTP standard port"; flow:to_server; app-layer-protocol:!http; sid:1;)
Test case in https://github.com/OISF/suricata-verify/pull/615
I'm not entirely sure how to address this. Maybe we need to allow for an addition keyword parameter, e.g. something like:
app-layer-protocol:http,toserver;
-> check alproto_ts
app-layer-protocol:http,final;
-> check alproto
app-layer-protocol:http,both;
-> check alproto_ts
and alproto_tc