Project

General

Profile

Actions

Feature #713

closed

tls.fingerprint - file usage

Added by Peter Manev almost 12 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Now we can use tls.fingerprint like so -
tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a";

it could beneficial if we can
tls.fingerprint:!"ssl-fingerprint.file"; where could be a file containing a list of SHA1 and/or MD5 ssl cert fingerprints.

Also if a file list is used - it is helpful if more than on rule can use the file list without the file being loaded multiple times (for each rule).


Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2318: matching on large amounts of data with dynamic updatesClosedVictor JulienActions
Actions #1

Updated by Victor Julien almost 12 years ago

  • Target version set to TBD

Would be nice to have.

Actions #2

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Victor Julien over 5 years ago

  • Related to Feature #2318: matching on large amounts of data with dynamic updates added
Actions #4

Updated by Victor Julien over 5 years ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 5.0rc1

TLS fingerprint:

Blacklist:

alert tls any any -> any any (tls.cert_fingerprint; dataset:isset,bad_tls_certs, load bad_tls_certs.rep, type string; sid:3;)

Reputation:

alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_rep, >, 200, load tls_rep.rep, type string; sid:4;)
alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_md5_rep, >, 200, load tls_md5_rep.rep, type md5; sid:5;)

https://github.com/OISF/suricata/pull/4166

https://suricata.readthedocs.io/en/latest/rules/datasets.html

Actions

Also available in: Atom PDF