Actions
Feature #713
closedtls.fingerprint - file usage
Effort:
Difficulty:
Label:
Description
Now we can use tls.fingerprint like so -
tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a";
it could beneficial if we can
tls.fingerprint:!"ssl-fingerprint.file"; where could be a file containing a list of SHA1 and/or MD5 ssl cert fingerprints.
Also if a file list is used - it is helpful if more than on rule can use the file list without the file being loaded multiple times (for each rule).
Updated by Victor Julien over 5 years ago
- Related to Feature #2318: matching on large amounts of data with dynamic updates added
Updated by Victor Julien over 5 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0rc1
TLS fingerprint:
Blacklist:
alert tls any any -> any any (tls.cert_fingerprint; dataset:isset,bad_tls_certs, load bad_tls_certs.rep, type string; sid:3;)
Reputation:
alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_rep, >, 200, load tls_rep.rep, type string; sid:4;) alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_md5_rep, >, 200, load tls_md5_rep.rep, type md5; sid:5;)
https://github.com/OISF/suricata/pull/4166
https://suricata.readthedocs.io/en/latest/rules/datasets.html
Actions