[Oisf-users] SNI+Fingerprint
F.Tremblay
fcourrier at gmail.com
Sun Oct 28 21:05:11 UTC 2018
Hello,
Having trouble pinning sites.
<Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 5993891 mixes
keywords with conflicting directions
<Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing
signature "drop tls any any -> any any (msg:"TLS/FINGERPRINT Suspicious
facebook.com"; tls_sni; content:"facebook.com";
tls.fingerprint:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8";
classtype:policy-violation; gid:1; sid:5993891; rev:1;)"
Pretty sure I could pin fingerprint based on SNI before the "content"
keywork was added...
Thats on RC1.
Thanks. Cheers.
F.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181028/bec2759f/attachment.html>
More information about the Oisf-users
mailing list