Feature #296
closedMatching SSL/TLS certificate details
Description
I was wondering whether Suricata could have payload keywords to match part of a TLS/SSL certificate such as "subject", "issuer" etc. The idea is to allow things like
content:"GoDaddy.com"; ssl_issuer;
07/01/2011-18:00:00.123456 [**] /O=*.openinfosecfoundation.org/OU=Domain Control Validated/CN=*.openinfosecfoundation.org [**] /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 [**] 123.234.56.78:12345 -> 67.19.104.51:443
I think the keywords would make rule-writing easier, and the log may allow us to validate them (retrospectively) and flag up those that don't validate as suspicious.
Updated by Pierre Chifflier over 12 years ago
I already have some code to parse the TLS handshake, I'll have a look.
Updated by Victor Julien over 12 years ago
- Status changed from New to Assigned
- Assignee set to Pierre Chifflier
- Target version set to 1.2
Pierre is working on this currently, so might just as well assign this ticket :)
Updated by Victor Julien over 12 years ago
- Target version changed from 1.2 to 1.3beta1
Code seems to have stabilized, but too close to 1.2rc1. Moving to 1.3beta1 so we have more time to test and iron out remaining issues, like errors/warnings to the screen and such.
Updated by Victor Julien about 12 years ago
- Subject changed from Matching/Logging SSL/TLS certificate details to Matching SSL/TLS certificate details
- Description updated (diff)
- Status changed from Assigned to Closed
Pierre's TLS handshake analyser has been merged, including tls.issuerdn and tls.subject keywords.
Reduced the scope of this ticket, so we can close it. The logging will be part of a new ticket.