[Oisf-devel] Matching SSL/TLS certificate details

Victor Julien victor at inliniac.net
Fri Jul 1 14:51:54 UTC 2011

On 07/01/2011 04:28 PM, Chris Wakelin wrote:
> I read an interesting article on TDSS recently
> (http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot) and among
> the scary things was its tendency to use HTTPS.
> I was wondering whether Suricata could have payload keywords to match
> part of a TLS/SSL certificate such as "subject", "issuer" etc. Another
> possibility is to log them perhaps, in a similar way to the http.log.
> I think the keywords would make rule-writing easier, and the log may
> allow us to validate them (retrospectively) and flag up those that don't
> validate as suspicious.

I like the idea. Can you open up one or more tickets for this on redmine?

> I know we already have protocol-detection for TLS (and others). Does it
> actually get used yet?

Yes, for the ssl_version and ssl_state keywords and also to ignore the
rest of the flow to save cycles and have less fp's.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list