6.29. Generic App Layer Keywords¶
Match on the detected app-layer protocol.
app-layer-protocol:ssh; app-layer-protocol:!tls; app-layer-protocol:failed;
A special value ‘failed’ can be used for matching on flows in which protocol detection failed. This can happen if Suricata doesn’t know the protocol or when certain ‘bail out’ conditions happen.
184.108.40.206. Bail out conditions¶
Protocol detection gives up in several cases:
- both sides are inspected and no match was found
- side A detection failed, side B has no traffic at all (e.g. FTP data channel)
- side A detection failed, side B has so little data detection is inconclusive
In these last 2 cases the
Match on events generated by the App Layer Parsers and the protocol detection engine.
220.127.116.11. Protocol Detection¶
The toserver and toclient directions have different protocols. For example a client talking HTTP to a SSH server.
Some protocol implementations in Suricata have a requirement with regards to the first data direction. The HTTP parser is an example of this.
Protocol detection only succeeded in one direction. For FTP and SMTP this is expected.