Project

General

Profile

Actions
Copy link

Bug #712

closed

wildcard matches on tls.subject

Added by Peter Manev over 11 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Mats Klepsland
Target version:
3.2beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

If we use the tls rules- 

alert tls any any -> any any (msg:"TEST - Peter - Google Ssl Store 1 (GSS)"; tls.subject:"CN=*.google*";  sid:9999999; rev:1;)
alert tls any any -> any any (msg:"TEST - Peter - Google Ssl Store 2 (GSS)"; tls.subject:"CN=*.google.com";  sid:9999998; rev:1;)
alert tls any any -> any any (msg:"TEST - Peter - Google Ssl Store 3 (GSS)"; tls.subject:"CN=*.google.*"; sid:9999997; rev:1;)

only sid:9999998 alerts

root@suricata:/var/data/regit/log/suricata# grep "999999" fast.log
01/12/2013-16:04:56.213641  [**] [1:9999998:1] TEST - Peter - Google Ssl Store 2 (GSS) [**] [Classification: (null)] [Priority: 3] {TCP} x.x.x.x:443 -> x.x.x.x:50699
01/12/2013-16:04:52.302157  [**] [1:9999998:1] TEST - Peter - Google Ssl Store 2 (GSS) [**] [Classification: (null)] [Priority: 3] {TCP} x.x.x.x:443 -> x.x.x.x:62835
root@suricata:/var/data/regit/log/suricata#

I am not sure if this is intended behavior or not - but if one wildcard (*) can e used, why not two?

Actions
Copy link

Also available in: Atom PDF