Feature #1231: ssl_state negation support - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community
Open Doc tasks

Actions

Copy link

Feature #1231

closed

VJ JI

ssl_state negation support

Feature #1231: ssl_state negation support

Added by Victor Julien almost 12 years ago. Updated over 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

3.2beta1

Effort:

Difficulty:

Label:

Description

This doesn't currently work:

ssl_state:!client_hello;

History
Notes
Property changes

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#1

Assignee changed from Victor Julien to Jason Ish
Target version changed from 3.0RC2 to 2.0.5

JI Updated by Jason Ish over 11 years ago Actions
Copy link
#2

There is an incompatibility in the SSL app layer that prevents negation from working properly. The Suricata SSL states flags is an accumulation of states seen. So if we go from CLIENT_HELLO to SERVER_HELLO, both flags are set in the state. This prevents ssl_state:!client_hello from matching while in SERVER_HELLO.

It appears that Snort does not accumulate the states like Suricata does, so a rule with ssl_state:client_hello will not match while SERVER_HELLO, but it will match in Suricata.

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#3

Target version changed from 2.0.5 to 3.0RC2

Looks like this is more complicated than initially thought, moving to 2.1

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
#4

Target version changed from 3.0RC2 to 70

JI Updated by Jason Ish over 9 years ago Actions
Copy link
#5

Status changed from Assigned to Closed
Target version changed from 70 to 3.2

Merged: https://github.com/inliniac/suricata/pull/2261

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
#6

Target version changed from 3.2 to 3.2beta1

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Feature #1231

ssl_state negation support

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#1

JI Updated by Jason Ish over 11 years ago Actions
Copy link
#2

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
#4

JI Updated by Jason Ish over 9 years ago Actions
Copy link
#5

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
#6

Project

General

Profile

Suricata

Custom queries

Feature #1231

ssl_state negation support

VJ Updated by Victor Julien over 11 years ago ActionsCopy link #1

JI Updated by Jason Ish over 11 years ago ActionsCopy link #2

VJ Updated by Victor Julien over 11 years ago ActionsCopy link #3

VJ Updated by Victor Julien over 10 years ago ActionsCopy link #4

JI Updated by Jason Ish over 9 years ago ActionsCopy link #5

VJ Updated by Victor Julien over 9 years ago ActionsCopy link #6

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#1

JI Updated by Jason Ish over 11 years ago Actions
Copy link
#2

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
#4

JI Updated by Jason Ish over 9 years ago Actions
Copy link
#5

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
#6