Project

General

Profile

Actions
Copy link

Bug #3220

open

ssl_version keyword negation (!) not working

Added by Min-Gyu Jeon over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Min-Gyu Jeon
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

issue

*ssl_version keyword being not detected when using negation (!)
  • ex
    alert tcp any any -> any any (ssl_version:!sslv3)

cause

  • in DetectSslVersionParse() function, the negation info is not used properly.

how to fix

  • use the negation info properly
    • check if other version have negations

Files

ssl-v2.pcap (40.4 KB) ssl-v2.pcap pcap from https://wiki.wireshark.org/SampleCaptures Min-Gyu Jeon, 10/13/2019 11:16 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #2269: TLS: tls.version: allow negation or comparisonNewCommunity TicketActions
Actions
Copy link
 #1

Updated by Andreas Herz over 4 years ago

  • Target version set to TBD

As you assigned it to yourself, are you willing to work on this fix?

Actions
Copy link
 #2

Updated by Min-Gyu Jeon over 4 years ago

  • Yes I will summit a PR within this week.
Actions
Copy link
 #4

Updated by Min-Gyu Jeon over 4 years ago

  • Examples.
    • The attached pcap has no any detect events when using a rule
      alert tcp any any -> any any (ssl_version:!tls1.3; sid:1;)
Actions
Copy link
 #5

Updated by Philippe Antoine 6 months ago

  • Related to Feature #2269: TLS: tls.version: allow negation or comparison added
Actions
Copy link

Also available in: Atom PDF