[Oisf-users] TLS rule not matching certificate subject all the time

Victor Julien lists at inliniac.net
Thu Nov 8 13:56:22 UTC 2012


On 11/08/2012 02:46 PM, Matthew Keeler wrote:
> Was using the autofp runmode. I will try with the workers run mode and see if it resolves anything.

Can you reproduce it with a pcap file?

Cheers,
Victor

> 
> Matt Keeler
> 
> On Nov 7, 2012, at 5:19 PM, Eric Leblond <eric at regit.org> wrote:
> 
>> Hello,
>>
>> Le mercredi 07 novembre 2012 à 16:53 -0500, Matthew Keeler a écrit :
>>> I am experimenting with some Suricata rules and have a rule of the form
>>>
>>> "alert tls any any -> any any (msg: "Some message" tls.subject: "<the cert subject>"; sid:<sid> rev:1; )"
>>>
>>> I then run a curl command to reach out to an https enabled website with a certificate that has the same subject as the one in the rule. Sometimes I get the alert and sometimes I do not. It seems rather random when the alert is raised and when it is ignored.
>>>
>>> I have verified in Wireshark that the certificate is being sent every time.
>>>
>>> Is there a reason why Suricata would only occasionally find the certificate?
>>
>> No specific reason. One of the possibility is that there is some
>> streaming errors. What is the running mode used ? Workers with flow base
>> locad-balancing on top should provide good result and avoid this kind of
>> problem.
>>
>>
>> BR,
>>
>>>
>>> Thanks
>>> Matt Keeler--------------------------------------------------------------------
>>> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>
>>
> 
> --------------------------------------------------------------------
> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list