Project

General

Profile

Actions

Bug #7274

open

ssl_state:unknown not implemented

Added by Victor Julien 3 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The keyword supports the "unknown" option, but it is not implemented. The keyword checks a flag in the state "SSL_AL_FLAG_STATE_UNKNOWN", but this flag is never set.


Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3218: ssl_state does the wrong thingNewOISF DevActions
Actions #1

Updated by Victor Julien 3 months ago

  • Related to Bug #3218: ssl_state does the wrong thing added
Actions #2

Updated by Jeff Lucovsky about 2 months ago

In src/detect-ssl-state.c, the bit DETECT_SSL_STATE_UNKNOWN is set when the unknown keyword is used

That flag is defined here

src/detect-ssl-state.h:32:#define DETECT_SSL_STATE_UNKNOWN      SSL_AL_FLAG_STATE_UNKNOWN

Actions #3

Updated by Victor Julien about 2 months ago

Yes, but SSL_AL_FLAG_STATE_UNKNOWN isn't, so it can't ever match.

Actions #4

Updated by Jeff Lucovsky about 2 months ago

I've found that the unknown state occurs following a handshake failure; are there other conditions leaving the state unknown?

Actions #5

Updated by Victor Julien about 2 months ago

Where is the flag set? I don't see it.

Actions

Also available in: Atom PDF