Suricata

When investigating the Sliver Framework, it was observed that certificates which lack an Issuer (or contain an issuer with a 0 length) are not parsed by suricata.

In attempting to write signatures for the framework, this lack of parsing resulted in rules which were written without the aid of typical TLS buffers and do not perform well.

Is it possible to somehow allow the tls.cert_subject buffer to still be populated and detected against?

Anomaly Log

[
  {
    "timestamp": "2022-07-05T19:04:40.880329+0000",
    "flow_id": 1013180826924639,
    "pcap_cnt": 7,
    "event_type": "anomaly",
    "src_ip": "192.168.116.130",
    "src_port": 54080,
    "dest_ip": "54.206.116.39",
    "dest_port": 443,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "community_id": "1:TQlCVrrpCtVqPOOUKXjZ0qVC5qU=",
    "tx_id": 0,
    "anomaly": {
      "app_proto": "tls",
      "type": "applayer",
      "event": "CERTIFICATE_INVALID_DER",
      "layer": "proto_parser" 
    }
  }
]

sid:1; does not fire on sliver_cert_2.pcap

alert tls any any -> any any (msg:"test"; flow:established,to_client; tls.cert_subject; content:"localhost"; sid:1;)

sid:2; which makes no use of TLS buffers does fire on sliver_cert_2.pcap

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M4"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; sid:4; rev:1; classtype:trojan-activity; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go;)