Project

General

Profile

Actions
Copy link

Feature #5190

closed

new tls.random keyword

Added by Brandon Murphy almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
7.0.0-beta1
Effort:
Difficulty:
Label:

Description

While updating some older TLS sigs in the ET Ruleset which do not make use of existing suricata buffers, I came across this a signature which detects malware using a hard-coded TLS request, specifically leveraging the first four bytes of the client random representing the GMT Unix Time.

Until this buffer is added, I am unable to fully convert the use to making use of buffers.

I see this is mentioned in https://redmine.openinfosecfoundation.org/issues/1766 and documented in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS_keyword_expansion. However that issue is nondiscrete in it's asks.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #1766: TLS keyword expansionAssignedMats KlepslandActions
Actions
Copy link

Also available in: Atom PDF