[Oisf-users] SNI+Fingerprint

Mon Nov 5 06:54:25 UTC 2018

On Sun, Oct 28, 2018 at 9:59 PM F.Tremblay <fcourrier at gmail.com> wrote:
>
>
> Hello,
>
> Having trouble pinning sites.
>
> <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 5993891 mixes keywords with conflicting directions
> <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls any any -> any any (msg:"TLS/FINGERPRINT Suspicious facebook.com"; tls_sni; content:"facebook.com"; tls.fingerprint:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8"; classtype:policy-violation; gid:1; sid:5993891; rev:1;)"
>

try - tls_cert_fingerprint;
content:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8";

> Pretty sure I could pin fingerprint based on SNI before the "content" keywork was added...
>
> Thats on RC1.
>
> Thanks. Cheers.
>
> F.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


-- 
Regards,
Peter Manev