Support #1356: can suricata detect self-signed certificates - Suricata - Open Information Security Foundation

Actions

Copy link

Support #1356

closed

can suricata detect self-signed certificates

Added by Complex Integrations over 9 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Affected Versions:

Label:

Description

we're trying to create a rule that drops self signed certificates. we've written the following but it only drops the packet. we want it to drop the entire stream.

drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|14|"; offset:16; depth:4; nocase;)

this rule works great but unfortunately generates false positives.

drop tcp any any -> any any (msg:"Self-signed Certificate"; flow:to_client,established; content:"|03 01|"; offset:8; depth:4; nocase;)

do you guys have anything?

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Support #1356

can suricata detect self-signed certificates

Updated by Andreas Herz about 8 years ago

Updated by Eric Leblond about 8 years ago

Updated by Victor Julien almost 8 years ago