Support #1356
closedcan suricata detect self-signed certificates
Description
we're trying to create a rule that drops self signed certificates. we've written the following but it only drops the packet. we want it to drop the entire stream.
drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|14|"; offset:16; depth:4; nocase;)
this rule works great but unfortunately generates false positives.
drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|03 01|"; offset:8; depth:4; nocase;)
do you guys have anything?
Updated by Andreas Herz about 8 years ago
With just a small content section it's quite obvious to have many false positives, especially when you match every tcp traffic.
You could also look into the keywords we provide. You could also try to look for ETopen rules to see if there are some that help creating your rule by comparing.
Updated by Eric Leblond about 8 years ago
You can have a look at the following blog post: https://www.stamus-networks.com/2015/07/24/finding-self-signed-tls-certificates-suricata-and-luajit-scripting/