[Oisf-users] concern over et migration
Jason Williams
jwilliams at emergingthreats.net
Tue Oct 24 15:48:28 UTC 2017
The described functionality will not be lost in the 4.0 fork of ET/ETPRO
rulesets. We will be writing content specific rules, we will not be writing
certificate fingerprint rules for certs.
Thanks,
Jason
On Tue, Oct 24, 2017 at 8:34 AM, erik clark <philosnef at gmail.com> wrote:
> As Proofpoint moves to suri specific rule enhancements, I have one small
> concern. Currently sigs like 2022960 look for chunks of content in a ssl
> cert at various depths in the certificate. In the case of ssl breakout, the
> cert is malformed, so use of cert hashes isnt possible (cert is rewritten
> and has a new hash). Will these existing rules persist in content specific
> cert analysis, or will they be replaced with hash rules from places such as
> abuse.ch sslbl and the like? Thanks!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/30fea3fa/attachment-0002.html>
More information about the Oisf-users
mailing list