Project

General

Profile

Feature #713

tls.fingerprint - file usage

Added by Peter Manev over 6 years ago. Updated 14 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Now we can use tls.fingerprint like so -
tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a";

it could beneficial if we can
tls.fingerprint:!"ssl-fingerprint.file"; where could be a file containing a list of SHA1 and/or MD5 ssl cert fingerprints.

Also if a file list is used - it is helpful if more than on rule can use the file list without the file being loaded multiple times (for each rule).


Related issues

Related to Feature #2318: matching on large amounts of data with dynamic updatesClosedActions

History

#1

Updated by Victor Julien over 6 years ago

  • Target version set to TBD

Would be nice to have.

#2

Updated by Andreas Herz over 3 years ago

  • Assignee set to OISF Dev
#3

Updated by Victor Julien 5 months ago

  • Related to Feature #2318: matching on large amounts of data with dynamic updates added
#4

Updated by Victor Julien 14 days ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 5.0rc1

TLS fingerprint:

Blacklist:

alert tls any any -> any any (tls.cert_fingerprint; dataset:isset,bad_tls_certs, load bad_tls_certs.rep, type string; sid:3;)

Reputation:

alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_rep, >, 200, load tls_rep.rep, type string; sid:4;)
alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_md5_rep, >, 200, load tls_md5_rep.rep, type md5; sid:5;)

https://github.com/OISF/suricata/pull/4166

https://suricata.readthedocs.io/en/latest/rules/datasets.html

Also available in: Atom PDF