[Oisf-devel] Matching SSL/TLS certificate details

Chris Wakelin c.d.wakelin at reading.ac.uk
Fri Jul 1 14:28:55 UTC 2011

I read an interesting article on TDSS recently
(http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot) and among
the scary things was its tendency to use HTTPS.

I was wondering whether Suricata could have payload keywords to match
part of a TLS/SSL certificate such as "subject", "issuer" etc. Another
possibility is to log them perhaps, in a similar way to the http.log.

I think the keywords would make rule-writing easier, and the log may
allow us to validate them (retrospectively) and flag up those that don't
validate as suspicious.

I know we already have protocol-detection for TLS (and others). Does it
actually get used yet?

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list