TLS: tls.version: allow negation or comparison
According to the documentation it is possible to match on “1.0”, “1.1”, “1.2” with tls.version (http://suricata.readthedocs.io/en/latest/rules/tls-keywords.html).
I propose to
a) allow negation for this keyword, i.e. alert on all version that are NOT 1.2 for example
b) allow some kind of comparison with >, <, <=, >= (with would probably need some ordered table with the versions, as the version can also be SSL.
Also (at least in the case of b)) there should be a solution to cover tls.version "UNDETERMINED"