This rule returns true and alarms if an application other than HTTPS is detected on port 443.
|
function Flow_AlarmForHTTPSProtocolMismatch (dpiMsg, ruleEngine) require 'LOG' if not (IsFinalShortFlow(dpiMsg)) then return false end EZINFO('final flow') local port_dst = GetInt(dpiMsg, 'internal', 'destport') if port_dst == 443 then EZINFO('443') local my_application = GetLatestApplication(dpiMsg) EZINFO('Application '.. my_application) if my_application ~='https' then EZWARNING("Protocol Mismatch -" .. my_application .. ' on 443') local x = TriggerUserAlarm(dpiMsg, ruleEngine, 'medium') end end end |