[Oisf-users] concern over et migration

Jason Williams jwilliams at emergingthreats.net
Tue Oct 24 15:48:28 UTC 2017

The described functionality will not be lost in the 4.0 fork of ET/ETPRO
rulesets. We will be writing content specific rules, we will not be writing
certificate fingerprint rules for certs.



On Tue, Oct 24, 2017 at 8:34 AM, erik clark <philosnef at gmail.com> wrote:

> As Proofpoint moves to suri specific rule enhancements, I have one small
> concern. Currently sigs like 2022960 look for chunks of content in a ssl
> cert at various depths in the certificate. In the case of ssl breakout, the
> cert is malformed, so use of cert hashes isnt possible (cert is rewritten
> and has a new hash). Will these existing rules persist in content specific
> cert analysis, or will they be replaced with hash rules from places such as
> abuse.ch sslbl and the like? Thanks!
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/30fea3fa/attachment-0002.html>

More information about the Oisf-users mailing list