[Oisf-devel] Matching SSL/TLS certificate details

Martin Holste mcholste at gmail.com
Fri Jul 1 15:01:17 UTC 2011


That would be an important improvement: content:"orgname"; ssl_issuer;
or something like that.  In the interim, I suppose you could use raw
content matches for those org names if you turn off the ssl preproc,
but then of course you'll take a CPU hit.

On Fri, Jul 1, 2011 at 9:51 AM, Victor Julien <victor at inliniac.net> wrote:
> On 07/01/2011 04:28 PM, Chris Wakelin wrote:
>> I read an interesting article on TDSS recently
>> (http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot) and among
>> the scary things was its tendency to use HTTPS.
>>
>> I was wondering whether Suricata could have payload keywords to match
>> part of a TLS/SSL certificate such as "subject", "issuer" etc. Another
>> possibility is to log them perhaps, in a similar way to the http.log.
>>
>> I think the keywords would make rule-writing easier, and the log may
>> allow us to validate them (retrospectively) and flag up those that don't
>> validate as suspicious.
>
> I like the idea. Can you open up one or more tickets for this on redmine?
>
>> I know we already have protocol-detection for TLS (and others). Does it
>> actually get used yet?
>
> Yes, for the ssl_version and ssl_state keywords and also to ignore the
> rest of the flow to save cycles and have less fp's.
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



More information about the Oisf-devel mailing list