<div dir="ltr">The described functionality will not be lost in the 4.0 fork of ET/ETPRO rulesets. We will be writing content specific rules, we will not be writing certificate fingerprint rules for certs.<div><br></div><div>Thanks,</div><div><br></div><div>Jason</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 24, 2017 at 8:34 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">As Proofpoint moves to suri specific rule enhancements, I have one small concern. Currently sigs like 2022960 look for chunks of content in a ssl cert at various depths in the certificate. In the case of ssl breakout, the cert is malformed, so use of cert hashes isnt possible (cert is rewritten and has a new hash). Will these existing rules persist in content specific cert analysis, or will they be replaced with hash rules from places such as <a href="http://abuse.ch" target="_blank">abuse.ch</a> sslbl and the like? Thanks!</div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>