[Oisf-users] Two Suricata Rule Questions
Andreas Herz
andi at geekosphere.org
Sat Jan 2 19:12:43 UTC 2016
On 24/12/15 at 17:12, Nasir Bilal wrote:
> I have a couple of questions about Suricata/Snort rules:
> 1) Is there a way to reference a list of strings in a suricata rule,
> similar to the ipreputation engine, and the way it references external text
> files full of IP's? We're looking at using Suricata for URL filtering.
Could you describe this a little more?
But i guess if you want to have the same way iprep works, that's a
feature request.
> 2) Similar to the first question, is there a way to read specifically from
> the SSL Server Certificate fields in the SSL/TLS handshake during HTTPS
> session initiation? We'd like to perform URL filtering on HTTPS traffic
> without SSL decrypt, and I know that many vendors do this by reading the
> fields of the SSL server certificates.
AFAIK that also depends on how the SSL/TLS is configured, with SNI you
could already check the SNI for the URL.
There are also TLS keywords:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords
--
Andreas Herz
More information about the Oisf-users
mailing list