Project

General

Profile

Actions

Bug #3220

open

ssl_version keyword negation (!) not working

Added by Min-Gyu Jeon about 5 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

issue

*ssl_version keyword being not detected when using negation (!)
  • ex
    alert tcp any any -> any any (ssl_version:!sslv3)
    

cause

  • in DetectSslVersionParse() function, the negation info is not used properly.

how to fix

  • use the negation info properly
    • check if other version have negations

Files

ssl-v2.pcap (40.4 KB) ssl-v2.pcap pcap from https://wiki.wireshark.org/SampleCaptures Min-Gyu Jeon, 10/13/2019 11:16 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #2269: TLS: tls.version: allow negation or comparisonNewCommunity TicketActions
Actions #1

Updated by Andreas Herz about 5 years ago

  • Target version set to TBD

As you assigned it to yourself, are you willing to work on this fix?

Actions #2

Updated by Min-Gyu Jeon about 5 years ago

  • Yes I will summit a PR within this week.
Actions #4

Updated by Min-Gyu Jeon about 5 years ago

  • Examples.
    • The attached pcap has no any detect events when using a rule
      alert tcp any any -> any any (ssl_version:!tls1.3; sid:1;)
      
Actions #5

Updated by Philippe Antoine about 1 year ago

  • Related to Feature #2269: TLS: tls.version: allow negation or comparison added
Actions

Also available in: Atom PDF