ssl_state negation support
This doesn't currently work:
Updated by Jason Ish almost 6 years ago
There is an incompatibility in the SSL app layer that prevents negation from working properly. The Suricata SSL states flags is an accumulation of states seen. So if we go from CLIENT_HELLO to SERVER_HELLO, both flags are set in the state. This prevents ssl_state:!client_hello from matching while in SERVER_HELLO.
It appears that Snort does not accumulate the states like Suricata does, so a rule with ssl_state:client_hello will not match while SERVER_HELLO, but it will match in Suricata.