Project

General

Profile

Actions

Feature #2269

open

TLS: tls.version: allow negation or comparison

Added by B F about 5 years ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

According to the documentation it is possible to match on “1.0”, “1.1”, “1.2” with tls.version (http://suricata.readthedocs.io/en/latest/rules/tls-keywords.html).

I propose to
a) allow negation for this keyword, i.e. alert on all version that are NOT 1.2 for example
or
b) allow some kind of comparison with >, <, <=, >= (with would probably need some ordered table with the versions, as the version can also be SSL.

Also (at least in the case of b)) there should be a solution to cover tls.version "UNDETERMINED"

Actions #1

Updated by Andreas Herz about 5 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions #2

Updated by Victor Julien over 4 years ago

  • Effort set to low
  • Difficulty set to low
Actions #3

Updated by Andreas Herz almost 4 years ago

  • Assignee set to Community Ticket
Actions #4

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to In Review
Actions #5

Updated by Philippe Antoine over 1 year ago

  • Target version changed from TBD to 7.0.0-beta1
Actions #6

Updated by Victor Julien about 1 month ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #7

Updated by Victor Julien about 1 month ago

I feel the version tracking needs review first. Version is currently not a single thing. E.g. we can have a connection starting with sslv2 upgrade to tls1. TLS 1.3 records look like TLS 1.2 initially iirc. The version field is also often updated. So I think a review of how it works is in order.

Actions #8

Updated by Victor Julien about 1 month ago

  • Status changed from In Review to New
  • Target version changed from 7.0.0-rc1 to TBD
Actions

Also available in: Atom PDF