Project

General

Profile

Actions

Feature #2269

open

TLS: tls.version: allow negation or comparison

Added by B F about 7 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

According to the documentation it is possible to match on “1.0”, “1.1”, “1.2” with tls.version (http://suricata.readthedocs.io/en/latest/rules/tls-keywords.html).

I propose to
a) allow negation for this keyword, i.e. alert on all version that are NOT 1.2 for example
or
b) allow some kind of comparison with >, <, <=, >= (with would probably need some ordered table with the versions, as the version can also be SSL.

Also (at least in the case of b)) there should be a solution to cover tls.version "UNDETERMINED"


Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3220: ssl_version keyword negation (!) not workingNewMin-Gyu JeonActions
Actions

Also available in: Atom PDF