Project

General

Profile

Actions

Feature #1134

closed

tls: server name rule keyword

Added by Victor Julien over 10 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Support TLS server name extension parsing and logging.

Actions #1

Updated by Victor Julien over 10 years ago

  • Tracker changed from Bug to Feature
Actions #2

Updated by Mats Klepsland about 9 years ago

  • Assignee set to Mats Klepsland

This is added in:

https://github.com/inliniac/suricata/pull/1684

Should I look into adding a detection module for this as well? Something like tls.sni:"example.com".

Actions #3

Updated by Mats Klepsland about 9 years ago

Or maybe better to enable the user to do something like:

content:"example.com"; tls_sni;

I don't really like how the TLS keywords deviates from the other rule keywords.

Actions #4

Updated by Victor Julien about 9 years ago

For newly developed keyword we generally follow the 'file_data' approach:

file_data; content:"pattern";

So here it would be:

tls_sni; content:"example.com";
Actions #5

Updated by Mats Klepsland about 9 years ago

Is that the reason why the "dns_query" keyword is placed before the "content" instead of after like so many other keywords? I have been wondering why it's like that.

Actions #6

Updated by Victor Julien about 9 years ago

Yes. The scheme is much simpler that way. All payload inspecting keywords that follow "file_data" or "dns_query" automatically apply to the correct buffer. E.g.

file_data; content:"blah"; pcre:/blabblah/;

Instead of:
content:"blah"; http_uri; pcre:/blabblah/U;

In the last case we also need to add the U to the pcre, with file_data thats not needed.

Actions #7

Updated by Mats Klepsland about 9 years ago

Then I'll implement it like that :)

Actions #8

Updated by Victor Julien about 9 years ago

  • Subject changed from tls: server name support to tls: server name rule keyword

Logging done in #1601. This is ticket is strictly about a rule keyword now.

Actions #9

Updated by Victor Julien over 8 years ago

  • Status changed from New to Closed
  • Target version changed from TBD to 3.1rc1
Actions

Also available in: Atom PDF