Project

General

Profile

Actions
Copy link

Feature #1231

closed

ssl_state negation support

Added by Victor Julien over 10 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.2beta1
Effort:
Difficulty:
Label:

Description

This doesn't currently work:

ssl_state:!client_hello;

Actions
Copy link
 #1

Updated by Victor Julien over 10 years ago

  • Assignee changed from Victor Julien to Jason Ish
  • Target version changed from 3.0RC2 to 2.0.5
Actions
Copy link
 #2

Updated by Jason Ish over 10 years ago

There is an incompatibility in the SSL app layer that prevents negation from working properly. The Suricata SSL states flags is an accumulation of states seen. So if we go from CLIENT_HELLO to SERVER_HELLO, both flags are set in the state. This prevents ssl_state:!client_hello from matching while in SERVER_HELLO.

It appears that Snort does not accumulate the states like Suricata does, so a rule with ssl_state:client_hello will not match while SERVER_HELLO, but it will match in Suricata.

Actions
Copy link
 #3

Updated by Victor Julien about 10 years ago

  • Target version changed from 2.0.5 to 3.0RC2

Looks like this is more complicated than initially thought, moving to 2.1

Actions
Copy link
 #4

Updated by Victor Julien about 9 years ago

  • Target version changed from 3.0RC2 to 70
Actions
Copy link
 #5

Updated by Jason Ish over 8 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2
Actions
Copy link
 #6

Updated by Victor Julien over 8 years ago

  • Target version changed from 3.2 to 3.2beta1
Actions
Copy link

Also available in: Atom PDF