I've encountered a strange behavior of Snort IDS in TCP packets content filtering.
Using rule option 'metadata' I try to distinguish such protocols as SSH, FTP, IMAP, HTTP, HTTP2 using following rules:
alert tcp any any -> any any (msg:"Audit SSH"; metadata: service ssh; priority:128; sid:1000001;)
alert tcp any any -> any any (msg:"Audit FTP"; metadata: service ftp; priority:128; sid:1000002;)
alert tcp any any -> any any (msg:"Audit IMAP"; metadata: service ftp; priority:128; sid:1000003;)
alert tcp any any -> any any (msg:"Audit HTTP"; metadata: service http; priority:128; sid:1000004;)
alert tcp any any -> any any (msg:"Audit HTTP 2.0"; metadata: service http2; priority:128; sid:1000005;)
But all rules are triggered both on SSH packets, HTTP web page and FTP traffic. So I guess in this case the filtering in Snort is made based on only protocol field - as all of listed protocols relates to TCP.
Have anyone met such a problem? Could there be problems in Snort configuration? Snort version 2.9.17 was used.
I will appreciate any help.