Feature #1134
closed
- Tracker changed from Bug to Feature
- Assignee set to Mats Klepsland
Or maybe better to enable the user to do something like:
content:"example.com"; tls_sni;
I don't really like how the TLS keywords deviates from the other rule keywords.
For newly developed keyword we generally follow the 'file_data' approach:
file_data; content:"pattern";
So here it would be:
tls_sni; content:"example.com";
Is that the reason why the "dns_query" keyword is placed before the "content" instead of after like so many other keywords? I have been wondering why it's like that.
Yes. The scheme is much simpler that way. All payload inspecting keywords that follow "file_data" or "dns_query" automatically apply to the correct buffer. E.g.
file_data; content:"blah"; pcre:/blabblah/;
Instead of:
content:"blah"; http_uri; pcre:/blabblah/U;
In the last case we also need to add the U to the pcre, with file_data thats not needed.
Then I'll implement it like that :)
- Subject changed from tls: server name support to tls: server name rule keyword
Logging done in #1601. This is ticket is strictly about a rule keyword now.
- Status changed from New to Closed
- Target version changed from TBD to 3.1rc1
Also available in: Atom
PDF