Project

General

Profile

Actions

Feature #5190

open

new tls.random keyword

Added by Brandon Murphy 5 months ago. Updated 18 days ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

While updating some older TLS sigs in the ET Ruleset which do not make use of existing suricata buffers, I came across this a signature which detects malware using a hard-coded TLS request, specifically leveraging the first four bytes of the client random representing the GMT Unix Time.

Until this buffer is added, I am unable to fully convert the use to making use of buffers.

I see this is mentioned in https://redmine.openinfosecfoundation.org/issues/1766 and documented in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS_keyword_expansion. However that issue is nondiscrete in it's asks.


Related issues 1 (1 open0 closed)

Related to Feature #1766: TLS keyword expansionAssignedMats KlepslandActions
Actions #1

Updated by Victor Julien 2 months ago

Actions #2

Updated by Victor Julien 2 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 7.0rc1

I think this comes down to adding a 4 byte array to the state, then filling that from TLSDecodeHSHelloRandom and registering a new sticky buffer keyword to match on it.

Actions #3

Updated by Shivani Bhardwaj 18 days ago

  • Status changed from Assigned to In Review
Actions

Also available in: Atom PDF