Project

General

Profile

Bug #3220

ssl_version keyword negation (!) not working

Added by Min-Gyu Jeon 11 days ago. Updated 3 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

issue

*ssl_version keyword being not detected when using negation (!)
  • ex
    alert tcp any any -> any any (ssl_version:!sslv3)
    

cause

  • in DetectSslVersionParse() function, the negation info is not used properly.

how to fix

  • use the negation info properly
    • check if other version have negations

Files

ssl-v2.pcap (40.4 KB) ssl-v2.pcap pcap from https://wiki.wireshark.org/SampleCaptures Min-Gyu Jeon, 10/13/2019 11:16 AM

History

#1

Updated by Andreas Herz 9 days ago

  • Target version set to TBD

As you assigned it to yourself, are you willing to work on this fix?

#2

Updated by Min-Gyu Jeon 7 days ago

  • Yes I will summit a PR within this week.
#4

Updated by Min-Gyu Jeon 3 days ago

  • Examples.
    • The attached pcap has no any detect events when using a rule
      alert tcp any any -> any any (ssl_version:!tls1.3; sid:1;)
      

Also available in: Atom PDF