[Oisf-users] TLS rule not matching certificate subject all the time

Matthew Keeler mk at npulsetech.com
Thu Nov 8 13:46:26 UTC 2012


Was using the autofp runmode. I will try with the workers run mode and see if it resolves anything.

Matt Keeler

On Nov 7, 2012, at 5:19 PM, Eric Leblond <eric at regit.org> wrote:

> Hello,
> 
> Le mercredi 07 novembre 2012 à 16:53 -0500, Matthew Keeler a écrit :
>> I am experimenting with some Suricata rules and have a rule of the form
>> 
>> "alert tls any any -> any any (msg: "Some message" tls.subject: "<the cert subject>"; sid:<sid> rev:1; )"
>> 
>> I then run a curl command to reach out to an https enabled website with a certificate that has the same subject as the one in the rule. Sometimes I get the alert and sometimes I do not. It seems rather random when the alert is raised and when it is ignored.
>> 
>> I have verified in Wireshark that the certificate is being sent every time.
>> 
>> Is there a reason why Suricata would only occasionally find the certificate?
> 
> No specific reason. One of the possibility is that there is some
> streaming errors. What is the running mode used ? Workers with flow base
> locad-balancing on top should provide good result and avoid this kind of
> problem.
> 
> 
> BR,
> 
>> 
>> Thanks
>> Matt Keeler--------------------------------------------------------------------
>> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> 

--------------------------------------------------------------------
The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.




More information about the Oisf-users mailing list