new tls.random keyword
While updating some older TLS sigs in the ET Ruleset which do not make use of existing suricata buffers, I came across this a signature which detects malware using a hard-coded TLS request, specifically leveraging the first four bytes of the client random representing the GMT Unix Time.
Until this buffer is added, I am unable to fully convert the use to making use of buffers.
I see this is mentioned in https://redmine.openinfosecfoundation.org/issues/1766 and documented in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS_keyword_expansion. However that issue is nondiscrete in it's asks.
Updated by Victor Julien over 1 year ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Target version changed from TBD to 7.0.0-beta1
I think this comes down to adding a 4 byte array to the state, then filling that from
TLSDecodeHSHelloRandom and registering a new sticky buffer keyword to match on it.