[Oisf-users] TLS rule not matching certificate subject all the time

Matthew Keeler mk at npulsetech.com
Wed Nov 7 21:53:42 UTC 2012

I am experimenting with some Suricata rules and have a rule of the form

"alert tls any any -> any any (msg: "Some message" tls.subject: "<the cert subject>"; sid:<sid> rev:1; )"

I then run a curl command to reach out to an https enabled website with a certificate that has the same subject as the one in the rule. Sometimes I get the alert and sometimes I do not. It seems rather random when the alert is raised and when it is ignored.

I have verified in Wireshark that the certificate is being sent every time.

Is there a reason why Suricata would only occasionally find the certificate?

Matt Keeler--------------------------------------------------------------------
The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.

More information about the Oisf-users mailing list