Actions
Feature #5234
closedtls: subjectAltName buffer
Effort:
Difficulty:
Label:
Description
Hi Team,
Does Suricata support parsing subjectAltName data into a SSL/TLS sticky buffer? If not, it would be a nice feature to have if the subjectAltName is present in SSL/TLS certificate or in the X509 extension.
The attached .pcap may be used to test this feature request.
Please note there is an observed inconsistency with how the subjectAltName is being parsed amongst Suricata engine versions.
If Suricata 6+ is used on the attached .pcap, the subjectAltName is parsed:
Suri7
issuerdn C=XX, CN=mamzon.ru, L=XX, O=XX, OU=XX, ST=XX, Email=webmaster@mamzon.ru, subjectAltName=*.mamzon.ru www.mamzon.ru sample: d08f862fc5830ad381db2027c10823c5
If Suricata 5 and below are used, the subjectAltName is not parsed:
Suri5
'issuerdn': 'C=XX, CN=mamzon.ru/L=XX/O=XX/OU=XX/ST=XX/emailAddress=webmaster@mamzon.ru/unknown=*.mamzon.ru www.mamzon.ru',
Files
Updated by Victor Julien over 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Target version changed from TBD to 8.0.0-beta1
Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Updated by Philippe Antoine about 1 year ago
- Related to Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5Name added
Updated by Victor Julien 5 days ago
- Subject changed from SSL/TLS Sticky Buffer for subjectAltName to tls: subjectAltName buffer
Actions