[Oisf-devel] Matching SSL/TLS certificate details
Chris Wakelin
c.d.wakelin at reading.ac.uk
Fri Jul 1 14:28:55 UTC 2011
I read an interesting article on TDSS recently
(http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot) and among
the scary things was its tendency to use HTTPS.
I was wondering whether Suricata could have payload keywords to match
part of a TLS/SSL certificate such as "subject", "issuer" etc. Another
possibility is to log them perhaps, in a similar way to the http.log.
I think the keywords would make rule-writing easier, and the log may
allow us to validate them (retrospectively) and flag up those that don't
validate as suspicious.
I know we already have protocol-detection for TLS (and others). Does it
actually get used yet?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list