Support #1356: can suricata detect self-signed certificates - Suricata - Open Information Security Foundation

Actions

Copy link

Support #1356

closed

can suricata detect self-signed certificates

Added by Complex Integrations almost 10 years ago. Updated over 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Affected Versions:

Label:

Description

we're trying to create a rule that drops self signed certificates. we've written the following but it only drops the packet. we want it to drop the entire stream.

drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|14|"; offset:16; depth:4; nocase;)

this rule works great but unfortunately generates false positives.

drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|03 01|"; offset:8; depth:4; nocase;)

do you guys have anything?

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Support #1356

can suricata detect self-signed certificates

Updated by Andreas Herz almost 9 years ago

Updated by Eric Leblond almost 9 years ago

Updated by Victor Julien over 8 years ago