Actions
Bug #1097
closedtls: negated match too much
Affected Versions:
Effort:
Difficulty:
Label:
Description
A negated match is matching if the tested field is NULL. But as it
is not set, nor negated nor normal test must match.
A rule like:
alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;)
is alerting for all connections. Even if they are done on a certificate
with matching subject.
Updated by Eric Leblond almost 11 years ago
- Status changed from New to Closed
Fixed by commit:c2fcf329f09c6e0d16cebb5906244c4ecc8ba30f.
Actions