Project

General

Profile

Actions

Feature #5191

closed

new keyword for self signed certificates

Added by Brandon Murphy 9 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

While updating some older TLS sigs in the ET Ruleset which do not make use of existing suricata buffers, I came across a rule (2023476) which uses pcre capture groups to ensure the detected CN value from either the subject or issuer certificate is found at least twice in the content. The rule does not make use of any static values to detect the malicious certificates and relies on a pretty gnarly regex.

When attempting to covert this rule to tls buffers, I did not have a generic way to ensure that the issuer and subject certificates were the same, indicating a self signed certificate.

This issue was discussed in https://redmine.openinfosecfoundation.org/issues/1356, however the solution depends on Lua, which is not required by default, and therefor not an option in this specific effort of updating existing rules.

I propose the creation of a new keyword tls.self_signed which acts similar to that of tls_cert_expired and tls_cert_valid and matches when the subject and issuer are the same.

Actions #1

Updated by Victor Julien 3 months ago

Another method might be to check if there is a single cert in the chain, no full chain.

Actions #2

Updated by Victor Julien 3 months ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 7.0.0-beta1

Implemented a cert chain len keyword.

Actions #3

Updated by Victor Julien 3 months ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Victor Julien 3 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF