Project

General

Profile

Actions

Support #1356

closed

can suricata detect self-signed certificates

Added by Complex Integrations over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

we're trying to create a rule that drops self signed certificates. we've written the following but it only drops the packet. we want it to drop the entire stream.

drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|14|"; offset:16; depth:4; nocase;)

this rule works great but unfortunately generates false positives.

drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|03 01|"; offset:8; depth:4; nocase;)

do you guys have anything?

Actions #1

Updated by Andreas Herz over 6 years ago

With just a small content section it's quite obvious to have many false positives, especially when you match every tcp traffic.
You could also look into the keywords we provide. You could also try to look for ETopen rules to see if there are some that help creating your rule by comparing.

Actions #3

Updated by Victor Julien over 6 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF