[Oisf-users] problem with forged tls and fallchill

erik clark philosnef at gmail.com
Mon Nov 27 16:26:28 UTC 2017

The recent fallchill bit uses an rc4 key to decode traffic forged as tls.
My question is, is there a fast way to say "This isn't tls on a tls port"
without mucking around with bytes at given offsets and whathaveyou? It is
clearly not tls, so I would think suri has a way to inspect for that?

The ET rules work, but we would really like to try and get to the root of
the issue rather than scanning for bytes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171127/3e2185c7/attachment.html>

More information about the Oisf-users mailing list