[Oisf-users] TLS rule not matching certificate subject all the time

Eric Leblond eric at regit.org
Wed Nov 7 22:19:00 UTC 2012


Le mercredi 07 novembre 2012 à 16:53 -0500, Matthew Keeler a écrit :
> I am experimenting with some Suricata rules and have a rule of the form
> "alert tls any any -> any any (msg: "Some message" tls.subject: "<the cert subject>"; sid:<sid> rev:1; )"
> I then run a curl command to reach out to an https enabled website with a certificate that has the same subject as the one in the rule. Sometimes I get the alert and sometimes I do not. It seems rather random when the alert is raised and when it is ignored.
> I have verified in Wireshark that the certificate is being sent every time.
> Is there a reason why Suricata would only occasionally find the certificate?

No specific reason. One of the possibility is that there is some
streaming errors. What is the running mode used ? Workers with flow base
locad-balancing on top should provide good result and avoid this kind of


> Thanks
> Matt Keeler--------------------------------------------------------------------
> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list