Feature #1134
closedtls: server name rule keyword
Description
Support TLS server name extension parsing and logging.
Updated by Mats Klepsland over 8 years ago
- Assignee set to Mats Klepsland
This is added in:
https://github.com/inliniac/suricata/pull/1684
Should I look into adding a detection module for this as well? Something like tls.sni:"example.com".
Updated by Mats Klepsland over 8 years ago
Or maybe better to enable the user to do something like:
content:"example.com"; tls_sni;I don't really like how the TLS keywords deviates from the other rule keywords.
Updated by Victor Julien over 8 years ago
For newly developed keyword we generally follow the 'file_data' approach:
file_data; content:"pattern";
So here it would be:
tls_sni; content:"example.com";
Updated by Mats Klepsland over 8 years ago
Is that the reason why the "dns_query" keyword is placed before the "content" instead of after like so many other keywords? I have been wondering why it's like that.
Updated by Victor Julien over 8 years ago
Yes. The scheme is much simpler that way. All payload inspecting keywords that follow "file_data" or "dns_query" automatically apply to the correct buffer. E.g.
file_data; content:"blah"; pcre:/blabblah/;
Instead of:
content:"blah"; http_uri; pcre:/blabblah/U;
In the last case we also need to add the U to the pcre, with file_data thats not needed.
Updated by Victor Julien over 8 years ago
- Subject changed from tls: server name support to tls: server name rule keyword
Logging done in #1601. This is ticket is strictly about a rule keyword now.
Updated by Victor Julien almost 8 years ago
- Status changed from New to Closed
- Target version changed from TBD to 3.1rc1