<div dir="ltr"><div>That did the trick, thanks. I should have been following the documentation more closely.</div><div><br></div><div>Cheers.</div><div><br></div><div>F.<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 5, 2018 at 1:54 AM Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, Oct 28, 2018 at 9:59 PM F.Tremblay <<a href="mailto:fcourrier@gmail.com" target="_blank">fcourrier@gmail.com</a>> wrote:<br>
><br>
><br>
> Hello,<br>
><br>
> Having trouble pinning sites.<br>
><br>
> <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 5993891 mixes keywords with conflicting directions<br>
> <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls any any -> any any (msg:"TLS/FINGERPRINT Suspicious <a href="http://facebook.com" rel="noreferrer" target="_blank">facebook.com</a>"; tls_sni; content:"<a href="http://facebook.com" rel="noreferrer" target="_blank">facebook.com</a>"; tls.fingerprint:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8"; classtype:policy-violation; gid:1; sid:5993891; rev:1;)"<br>
><br>
<br>
try - tls_cert_fingerprint;<br>
content:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8";<br>
<br>
> Pretty sure I could pin fingerprint based on SNI before the "content" keywork was added...<br>
><br>
> Thats on RC1.<br>
><br>
> Thanks. Cheers.<br>
><br>
> F.<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
<br>
<br>
<br>
-- <br>
Regards,<br>
Peter Manev<br>
</blockquote></div>