Project

General

Profile

Actions

Feature #5190

closed

new tls.random keyword

Added by Brandon Murphy almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

While updating some older TLS sigs in the ET Ruleset which do not make use of existing suricata buffers, I came across this a signature which detects malware using a hard-coded TLS request, specifically leveraging the first four bytes of the client random representing the GMT Unix Time.

Until this buffer is added, I am unable to fully convert the use to making use of buffers.

I see this is mentioned in https://redmine.openinfosecfoundation.org/issues/1766 and documented in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS_keyword_expansion. However that issue is nondiscrete in it's asks.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #1766: TLS keyword expansionAssignedMats KlepslandActions
Actions #1

Updated by Victor Julien over 2 years ago

Actions #2

Updated by Victor Julien over 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 7.0.0-beta1

I think this comes down to adding a 4 byte array to the state, then filling that from TLSDecodeHSHelloRandom and registering a new sticky buffer keyword to match on it.

Actions #3

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF