TLS buffers evaluated by fast_pattern matcher.
As far as I can tell tls.* buffers are not evaluated by the fast_pattern matcher. If this is correct is there a reason why this is the case? If no reason can we add them?
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 3.2beta1
https://github.com/inliniac/suricata/pull/2249 adds: tls_cert_issuer and tls_cert_subject, which replace tls.issuerdn and tls.subject. They are 'sticky buffers' like file_data, so all your regular matching (content/pcre/isdataat/etc) applies.