Feature #2269
opentls: tls.version: allow negation or comparison
Description
According to the documentation it is possible to match on “1.0”, “1.1”, “1.2” with tls.version (http://suricata.readthedocs.io/en/latest/rules/tls-keywords.html).
I propose to
a) allow negation for this keyword, i.e. alert on all version that are NOT 1.2 for example
or
b) allow some kind of comparison with >, <, <=, >= (with would probably need some ordered table with the versions, as the version can also be SSL.
Also (at least in the case of b)) there should be a solution to cover tls.version "UNDETERMINED"
AH Updated by Andreas Herz over 8 years ago
- Assignee set to Anonymous
- Target version set to TBD
VJ Updated by Victor Julien over 7 years ago
- Effort set to low
- Difficulty set to low
AH Updated by Andreas Herz about 7 years ago
- Assignee set to Community Ticket
PA Updated by Philippe Antoine about 5 years ago
- Status changed from New to In Review
PA Updated by Philippe Antoine almost 5 years ago
- Target version changed from TBD to 7.0.0-beta1
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
VJ Updated by Victor Julien over 3 years ago
I feel the version tracking needs review first. Version is currently not a single thing. E.g. we can have a connection starting with sslv2 upgrade to tls1. TLS 1.3 records look like TLS 1.2 initially iirc. The version field is also often updated. So I think a review of how it works is in order.
VJ Updated by Victor Julien over 3 years ago
- Status changed from In Review to New
- Target version changed from 7.0.0-rc1 to TBD
PA Updated by Philippe Antoine over 2 years ago
- Related to Bug #3220: tls: ssl_version keyword negation (!) not working added
PA Updated by Philippe Antoine 7 months ago
- Related to Bug #7250: tls version match can have incorrect behaviour added
VJ Updated by Victor Julien 4 months ago
- Subject changed from TLS: tls.version: allow negation or comparison to tls: tls.version: allow negation or comparison