Feature #2957

Suricata x Moloch - protocol detection. Proposals for TLS/SSL

Added by Michal Vymazal 5 months ago. Updated 4 months ago.

Target version:


At this moment moloch shows only TLS version, negotiated cipher and some certificate data.

Previous task version

The Illustrated TLS Connection

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH and describe similar proposals for IKEv1, IKEv2, IKEv3 and SSH.


Screenshot_20190301_122822.png (112 KB) Screenshot_20190301_122822.png Michal Vymazal, 05/03/2019 08:08 AM
tls-inspection-rules.txt (2.3 KB) tls-inspection-rules.txt Michal Vymazal, 05/03/2019 08:11 AM



Updated by Michal Vymazal 5 months ago

I also uploaded my signatures for TLS inspection.

alert tls any !10050:10051

means no Zabbix connections.


Updated by Andreas Herz 4 months ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Are you interested to work on that as a contribution?


Updated by Michal Vymazal 4 months ago

Really glad. What can I do?


Updated by Andreas Herz 4 months ago

  • Assignee changed from Community Ticket to Michal Vymazal

The necessary steps are explained in and feel free to ask if you have any specific questions. You can also look at our github page and see how we work with PRs.


Updated by Andreas Herz 4 months ago

  • Status changed from New to Assigned

Updated by Michal Vymazal 4 months ago

OK. Give me a week to study the rules, developers guide and the Contribution Agreement.


Updated by Michal Vymazal 4 months ago

Suricata code location - Moloch, Suricata plugins

I will be glad to cooperate on this projects

But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)

Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?

Thank you very much


Updated by Peter Manev 4 months ago

May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.

Also available in: Atom PDF