Actions
Bug #712
closedwildcard matches on tls.subject
Affected Versions:
Effort:
Difficulty:
Label:
Description
If we use the tls rules-
alert tls any any -> any any (msg:"TEST - Peter - Google Ssl Store 1 (GSS)"; tls.subject:"CN=*.google*"; sid:9999999; rev:1;) alert tls any any -> any any (msg:"TEST - Peter - Google Ssl Store 2 (GSS)"; tls.subject:"CN=*.google.com"; sid:9999998; rev:1;) alert tls any any -> any any (msg:"TEST - Peter - Google Ssl Store 3 (GSS)"; tls.subject:"CN=*.google.*"; sid:9999997; rev:1;)
only sid:9999998 alerts
root@suricata:/var/data/regit/log/suricata# grep "999999" fast.log
01/12/2013-16:04:56.213641 [**] [1:9999998:1] TEST - Peter - Google Ssl Store 2 (GSS) [**] [Classification: (null)] [Priority: 3] {TCP} x.x.x.x:443 -> x.x.x.x:50699
01/12/2013-16:04:52.302157 [**] [1:9999998:1] TEST - Peter - Google Ssl Store 2 (GSS) [**] [Classification: (null)] [Priority: 3] {TCP} x.x.x.x:443 -> x.x.x.x:62835
root@suricata:/var/data/regit/log/suricata#
I am not sure if this is intended behavior or not - but if one wildcard (*) can e used, why not two?
Updated by Andreas Herz about 8 years ago
- Assignee set to Mats Klepsland
Could this be something for you Mats?
Updated by Victor Julien about 8 years ago
- Status changed from New to Closed
- Target version changed from TBD to 3.2beta1
Implemented through https://github.com/inliniac/suricata/pull/2249 which introduces 'tls_cert_subject'. It acts like 'file_data', so you can do:
alert tls any any -> any any (tls_cert_subject; content:"google"; pcre:"/someregex/"; sid:1;)
Actions