Project

General

Profile

Actions
Copy link

Bug #2060

closed

lua rules not compatible with new tls_* keywords

Added by Eric Leblond about 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

By running suricata on the provided pcap and rules, we have alerts with the signature with SID 1.

suricata -r tls.pcap -k none -l log/ -S tls-no-lua.rules

When using the second signature in the file (using the old style tls.subject keyword), then we have no alert.

Files

Download all files
no.lua (169 Bytes) no.lua Eric Leblond, 03/09/2017 04:58 AM
tls-no-lua.rules (191 Bytes) tls-no-lua.rules Eric Leblond, 03/09/2017 04:58 AM
tls.pcap (184 KB) tls.pcap Eric Leblond, 03/09/2017 04:58 AM
Actions
Copy link
 #1

Updated by Eric Leblond about 7 years ago

  • Target version set to 3.2.2

This is corrected in master after https://github.com/inliniac/suricata/commit/4ae4fd08024e2a5369cf785e8597a2afbd9a6bc2 (lua: use tls_generic list for ssl/tls) but this is part of a important rewrite so a different fix has to be found for 3.2.x branch.

Actions
Copy link
 #2

Updated by Andreas Herz almost 7 years ago

  • Assignee set to Eric Leblond
Actions
Copy link
 #3

Updated by Victor Julien almost 7 years ago

Eric are you working on a fix?

Actions
Copy link
 #4

Updated by Eric Leblond almost 7 years ago

No Victor, I'm not on this one.

Actions
Copy link
 #5

Updated by Victor Julien almost 7 years ago

  • Assignee changed from Eric Leblond to OISF Dev
  • Target version changed from 3.2.2 to 70

Ok, thanks!

Actions
Copy link
 #6

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (70)

Fixing this in 3.2 is too complicated. 4.0 is almost out, so ppl who need this can use that.

Actions
Copy link

Also available in: Atom PDF