Actions
Feature #1231
closedssl_state negation support
Description
This doesn't currently work:
ssl_state:!client_hello;
Actions
Added by Victor Julien over 11 years ago. Updated about 9 years ago.
Description
This doesn't currently work:
ssl_state:!client_hello;
There is an incompatibility in the SSL app layer that prevents negation from working properly. The Suricata SSL states flags is an accumulation of states seen. So if we go from CLIENT_HELLO to SERVER_HELLO, both flags are set in the state. This prevents ssl_state:!client_hello from matching while in SERVER_HELLO.
It appears that Snort does not accumulate the states like Suricata does, so a rule with ssl_state:client_hello will not match while SERVER_HELLO, but it will match in Suricata.
Looks like this is more complicated than initially thought, moving to 2.1