[Oisf-users] SNI+Fingerprint

F.Tremblay fcourrier at gmail.com
Mon Nov 5 20:10:37 UTC 2018


That did the trick, thanks. I should have been following the documentation
more closely.

Cheers.

F.



On Mon, Nov 5, 2018 at 1:54 AM Peter Manev <petermanev at gmail.com> wrote:

> On Sun, Oct 28, 2018 at 9:59 PM F.Tremblay <fcourrier at gmail.com> wrote:
> >
> >
> > Hello,
> >
> > Having trouble pinning sites.
> >
> > <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 5993891 mixes
> keywords with conflicting directions
> > <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing
> signature "drop tls any any -> any any (msg:"TLS/FINGERPRINT Suspicious
> facebook.com"; tls_sni; content:"facebook.com";
> tls.fingerprint:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8";
> classtype:policy-violation; gid:1; sid:5993891; rev:1;)"
> >
>
> try - tls_cert_fingerprint;
> content:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8";
>
> > Pretty sure I could pin fingerprint based on SNI before the "content"
> keywork was added...
> >
> > Thats on RC1.
> >
> > Thanks. Cheers.
> >
> > F.
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181105/a028da7c/attachment.html>


More information about the Oisf-users mailing list