Project

General

Profile

Actions

Bug #1097

closed

tls: negated match too much

Added by Eric Leblond almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

A negated match is matching if the tested field is NULL. But as it
is not set, nor negated nor normal test must match.

A rule like:

 alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;)

is alerting for all connections. Even if they are done on a certificate
with matching subject.

Actions #1

Updated by Eric Leblond almost 11 years ago

  • Status changed from New to Closed

Fixed by commit:c2fcf329f09c6e0d16cebb5906244c4ecc8ba30f.

Actions #2

Updated by Victor Julien almost 11 years ago

  • Target version set to 2.0rc1
Actions

Also available in: Atom PDF