Feature #296
Updated by Victor Julien about 12 years ago
I was wondering whether Suricata could have payload keywords to match part of a TLS/SSL certificate such as "subject", "issuer" etc. The idea is to allow things like
_content:"GoDaddy.com"; ssl_issuer;_
Another nice feature would be able to log them perhaps, in a similar way to the http.log, something like
_07/01/2011-18:00:00.123456 [**] /O=*.openinfosecfoundation.org/OU=Domain Control Validated/CN=*.openinfosecfoundation.org [**] /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 [**] 123.234.56.78:12345 -> 67.19.104.51:443_
I think the keywords would make rule-writing easier, and the log may allow us to validate them (retrospectively) and flag up those that don't validate as suspicious.