Project

General

Profile

Actions
Copy link

Bug #3220

closed
MJ PA

tls: ssl_version keyword negation (!) not working

Bug #3220: tls: ssl_version keyword negation (!) not working

Added by Min-Gyu Jeon over 6 years ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
8.0.0
Effort:
Difficulty:
low
Label:

Description

issue

*ssl_version keyword being not detected when using negation (!)
  • ex
    alert tcp any any -> any any (ssl_version:!sslv3)

cause

  • in DetectSslVersionParse() function, the negation info is not used properly.

how to fix

  • use the negation info properly
    • check if other version have negations

Files

ssl-v2.pcap (40.4 KB) ssl-v2.pcap pcap from https://wiki.wireshark.org/SampleCaptures Min-Gyu Jeon, 10/13/2019 11:16 AM

Subtasks 2 (0 open2 closed)

Bug #8155: tls: ssl_version keyword negation (!) not working (8.0.x backport)ClosedPhilippe AntoineActions
Bug #8158: tls: ssl_version keyword negation (!) not working (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #2269: tls: tls.version: allow negation or comparisonNewCommunity TicketActions
Related to Suricata - Bug #7250: tls version match can have incorrect behaviourNewVictor JulienActions

AH Updated by Andreas Herz over 6 years ago Actions
Copy link
 #1

  • Target version set to TBD

As you assigned it to yourself, are you willing to work on this fix?

MJ Updated by Min-Gyu Jeon over 6 years ago Actions
Copy link
 #2

  • Yes I will summit a PR within this week.

MJ Updated by Min-Gyu Jeon over 6 years ago Actions
Copy link
 #4

  • Examples.
    • The attached pcap has no any detect events when using a rule
      alert tcp any any -> any any (ssl_version:!tls1.3; sid:1;)

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #5

  • Related to Feature #2269: tls: tls.version: allow negation or comparison added

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #6

  • Assignee changed from Min-Gyu Jeon to Philippe Antoine
  • Target version changed from TBD to 9.0.0-beta1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #7

  • Affected Versions 8.0.0 added

PA Updated by Philippe Antoine 7 months ago Actions
Copy link
 #8

  • Related to Bug #7250: tls version match can have incorrect behaviour added

PA Updated by Philippe Antoine 6 months ago Actions
Copy link
 #9

  • Status changed from New to Assigned

PA Updated by Philippe Antoine 5 months ago Actions
Copy link
 #10

  • Status changed from Assigned to In Review

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
 #11

  • Status changed from In Review to Closed

VJ Updated by Victor Julien 4 months ago Actions
Copy link
 #12

I think we want to backport to 8 and even to 7?

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
 #13

  • Status changed from Closed to Resolved
  • Label Needs backport to 8.0 added

OT Updated by OISF Ticketbot 4 months ago Actions
Copy link
 #14

  • Subtask #8155 added

OT Updated by OISF Ticketbot 4 months ago Actions
Copy link
 #15

  • Label deleted (Needs backport to 8.0)

VJ Updated by Victor Julien 4 months ago Actions
Copy link
 #16

  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot 4 months ago Actions
Copy link
 #17

  • Subtask #8158 added

OT Updated by OISF Ticketbot 4 months ago Actions
Copy link
 #18

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
 #19

  • Status changed from Resolved to Closed

SB Updated by Shivani Bhardwaj 3 months ago Actions
Copy link
 #20

  • Subject changed from ssl_version keyword negation (!) not working to tls: ssl_version keyword negation (!) not working
Actions
Copy link

Also available in: PDF Atom