Project

General

Profile

Actions
Copy link

Bug #7274

open

ssl_state:unknown not implemented

Added by Victor Julien about 2 months ago. Updated 17 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

The keyword supports the "unknown" option, but it is not implemented. The keyword checks a flag in the state "SSL_AL_FLAG_STATE_UNKNOWN", but this flag is never set.

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3218: ssl_state does the wrong thingNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien about 2 months ago

  • Related to Bug #3218: ssl_state does the wrong thing added
Actions
Copy link
 #2

Updated by Jeff Lucovsky 20 days ago

In src/detect-ssl-state.c, the bit DETECT_SSL_STATE_UNKNOWN is set when the unknown keyword is used

That flag is defined here

src/detect-ssl-state.h:32:#define DETECT_SSL_STATE_UNKNOWN      SSL_AL_FLAG_STATE_UNKNOWN

Actions
Copy link
 #3

Updated by Victor Julien 20 days ago

Yes, but SSL_AL_FLAG_STATE_UNKNOWN isn't, so it can't ever match.

Actions
Copy link
 #4

Updated by Jeff Lucovsky 19 days ago

I've found that the unknown state occurs following a handshake failure; are there other conditions leaving the state unknown?

Actions
Copy link
 #5

Updated by Victor Julien 17 days ago

Where is the flag set? I don't see it.

Actions
Copy link

Also available in: Atom PDF