Suricata enhancements - proposals
My first proposals for suricata plugins enhancement - TLS/SSL. At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
My first proposal is to show also the Diffie-Hellman server parameters, named curve, public key, signature algorithm, signature hash algorithm hash, signature hash algorithm signature and signature length.
I hope - this will be usable also for SSH, IKEv1, IKEv2 and IKEv3 handshake.
(IKEv1-main-Screenshot_20190424_174215.png, IKEv2_SA_INIT_Screenshot_20190424_174651.png, elasticsearch-sshv2.pdf)
Updated by Michal Vymazal about 2 months ago
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
The Illustrated TLS Connection
For Suricata TLS plugin I suggest to include this values in the moloch screen
Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals
Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)
Server Key Exchange - Curve Info, Public Key, Signature
I will try to find similar illustrated guide for IKEvX and SSH for better description.