Project

General

Profile

Actions

Feature #5190

closed

new tls.random keyword

Added by Brandon Murphy 7 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

While updating some older TLS sigs in the ET Ruleset which do not make use of existing suricata buffers, I came across this a signature which detects malware using a hard-coded TLS request, specifically leveraging the first four bytes of the client random representing the GMT Unix Time.

Until this buffer is added, I am unable to fully convert the use to making use of buffers.

I see this is mentioned in https://redmine.openinfosecfoundation.org/issues/1766 and documented in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS_keyword_expansion. However that issue is nondiscrete in it's asks.


Related issues 1 (1 open0 closed)

Related to Feature #1766: TLS keyword expansionAssignedMats KlepslandActions
Actions

Also available in: Atom PDF