18. Protocols

18.1. App-Layer

18.1.1. HTTP

The HTTP protocol parser handles HTTP 0.9, 1.0 and 1.1 support.

18.1.1.1. Rule Keywords

HTTP rule keywords are documented in the rule guide HTTP Keywords.

In addition to these specific keywords, file transactions can be inspected with the File Keywords.

18.1.1.2. Transactions

Transactions in the HTTP implementation are bidirectional. A request and its response together form the transaction.

18.1.2. HTTP/2

HTTP/2 is generally encrypted on the wire, although it can be unencrypted. But it's most likely this traffic will only be seen after some form of TLS decryption.

18.1.2.1. Rule Keywords

HTTP rule keywords apply to HTTP/2 as well and are documented in the rule guide HTTP Keywords. HTTP/2 specific rule keywords are documented in the rule guide HTTP2 Keywords.

In addition to these specific keywords, file transactions can be inspected with the File Keywords.

18.1.3. TLS

TLS support includes SSLv2 and SSLv3.

18.1.3.1. Rule Keywords

TLS rule keywords are documented in the rule guide SSL/TLS Keywords.

In addition to these specific keywords, the traffic can be inspected with the JA3/JA4 Keywords.

18.1.3.2. Transactions

The TLS implementation uses a single bidirectional transaction for the entire TLS flow. It includes the TLS handshake and the handling of the encrypted portion the traffic.

18.1.4. DNS

18.1.4.1. Rule Keywords

DNS rule keywords are documented in the rule guide DNS Keywords.

18.1.4.2. Transactions

Transactions in the DNS implementation are unidirectional. A DNS request will form a transaction, and a response will form its own transaction.

18.1.5. SMB

SMB is a complex protocol with many dialects and capabilities. The parser supports SMBv1, SMBv2 and SMBv3.

18.1.5.1. Rule Keywords

SMB rule keywords are documented in the rule guide SMB Keywords.

In addition to these specific keywords, file transactions can be inspected with the File Keywords.

DCERPC over SMB traffic can be inspected using DCERPC Keywords.

18.1.5.2. Transactions

Transactions in the SMB implementation are bidirectional. There are different types:

generic request/response pairs

file transfer, this may include many write/read commands and their responses, including close commands

session setup, including several related commands and their responses

DCERPC over SMB, this may include several read/write commands to create a DCERPC transaction that has a single DCEPRC request and its matching response

18.2. Further Reading

Description of transactional rules Transactional rules.

More implementation details can be found in the App-Layer developer guide section.