[Oisf-users] SNI+Fingerprint

F.Tremblay fcourrier at gmail.com
Sun Oct 28 21:05:11 UTC 2018


Having trouble pinning sites.

<Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 5993891 mixes
keywords with conflicting directions
<Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing
signature "drop tls any any -> any any (msg:"TLS/FINGERPRINT Suspicious
facebook.com"; tls_sni; content:"facebook.com";
classtype:policy-violation; gid:1; sid:5993891; rev:1;)"

Pretty sure I could pin fingerprint based on SNI before the "content"
keywork was added...

Thats on RC1.

Thanks. Cheers.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181028/bec2759f/attachment.html>

More information about the Oisf-users mailing list