Feature #1134
closedtls: server name rule keyword
Added by Victor Julien almost 12 years ago. Updated almost 10 years ago.
Description
Support TLS server name extension parsing and logging.
Updated by Victor Julien almost 12 years ago
- Tracker changed from Bug to Feature
Updated by Mats Klepsland over 10 years ago
- Assignee set to Mats Klepsland
This is added in:
https://github.com/inliniac/suricata/pull/1684
Should I look into adding a detection module for this as well? Something like tls.sni:"example.com".
Updated by Mats Klepsland over 10 years ago
Or maybe better to enable the user to do something like:
content:"example.com"; tls_sni;I don't really like how the TLS keywords deviates from the other rule keywords.
Updated by Victor Julien over 10 years ago
For newly developed keyword we generally follow the 'file_data' approach:
file_data; content:"pattern";
So here it would be:
tls_sni; content:"example.com";
Updated by Mats Klepsland over 10 years ago
Is that the reason why the "dns_query" keyword is placed before the "content" instead of after like so many other keywords? I have been wondering why it's like that.
Updated by Victor Julien over 10 years ago
Yes. The scheme is much simpler that way. All payload inspecting keywords that follow "file_data" or "dns_query" automatically apply to the correct buffer. E.g.
file_data; content:"blah"; pcre:/blabblah/;
Instead of:
content:"blah"; http_uri; pcre:/blabblah/U;
In the last case we also need to add the U to the pcre, with file_data thats not needed.
Updated by Victor Julien over 10 years ago
- Subject changed from tls: server name support to tls: server name rule keyword
Logging done in #1601. This is ticket is strictly about a rule keyword now.
Updated by Victor Julien almost 10 years ago
- Status changed from New to Closed
- Target version changed from TBD to 3.1rc1