Feature #296
closed
Matching SSL/TLS certificate details
Added by Chris Wakelin almost 13 years ago.
Updated about 12 years ago.
Description
I was wondering whether Suricata could have payload keywords to match part of a TLS/SSL certificate such as "subject", "issuer" etc. The idea is to allow things like
content:"GoDaddy.com"; ssl_issuer;
07/01/2011-18:00:00.123456 [**] /O=*.openinfosecfoundation.org/OU=Domain Control Validated/CN=*.openinfosecfoundation.org [**] /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 [**] 123.234.56.78:12345 -> 67.19.104.51:443
I think the keywords would make rule-writing easier, and the log may allow us to validate them (retrospectively) and flag up those that don't validate as suspicious.
I already have some code to parse the TLS handshake, I'll have a look.
- Status changed from New to Assigned
- Assignee set to Pierre Chifflier
- Target version set to 1.2
Pierre is working on this currently, so might just as well assign this ticket :)
- Target version changed from 1.2 to 1.3beta1
Code seems to have stabilized, but too close to 1.2rc1. Moving to 1.3beta1 so we have more time to test and iron out remaining issues, like errors/warnings to the screen and such.
- Subject changed from Matching/Logging SSL/TLS certificate details to Matching SSL/TLS certificate details
- Description updated (diff)
- Status changed from Assigned to Closed
Pierre's TLS handshake analyser has been merged, including tls.issuerdn and tls.subject keywords.
Reduced the scope of this ticket, so we can close it. The logging will be part of a new ticket.
Also available in: Atom
PDF