|
|
|
|
@ -17,9 +17,21 @@ Examples::
|
|
|
|
|
|
|
|
|
|
``tls.cert_subject`` can be used as ``fast_pattern``.
|
|
|
|
|
|
|
|
|
|
``tls.cert_subject`` replaces the previous keyword name: ``tls_cert_subject``. You may continue
|
|
|
|
|
to use the previous name, but it's recommended that rules be converted to use
|
|
|
|
|
the new name.
|
|
|
|
|
tls.subject
|
|
|
|
|
~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
Legacy keyword to match TLS/SSL certificate Subject field.
|
|
|
|
|
|
|
|
|
|
example:
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
tls.subject:"CN=*.googleusercontent.com"
|
|
|
|
|
|
|
|
|
|
Case sensitive, can't use 'nocase', or other modifiers.
|
|
|
|
|
|
|
|
|
|
**Note:** ``tls.cert_subject`` replaces the following legacy keywords: ``tls_cert_subject`` and ``tls.subject``.
|
|
|
|
|
It's recommended that rules be converted to use the new one.
|
|
|
|
|
|
|
|
|
|
tls.cert_issuer
|
|
|
|
|
---------------
|
|
|
|
|
@ -35,9 +47,21 @@ Examples::
|
|
|
|
|
|
|
|
|
|
``tls.cert_issuer`` can be used as ``fast_pattern``.
|
|
|
|
|
|
|
|
|
|
``tls.cert_issuer`` replaces the previous keyword name: ``tls_cert_issuer``. You may continue
|
|
|
|
|
to use the previous name, but it's recommended that rules be converted to use
|
|
|
|
|
the new name.
|
|
|
|
|
tls.issuerdn
|
|
|
|
|
~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
Legacy keyword to match TLS/SSL certificate IssuerDN field
|
|
|
|
|
|
|
|
|
|
example:
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
tls.issuerdn:!"CN=Google-Internet-Authority"
|
|
|
|
|
|
|
|
|
|
Case sensitive, can't use 'nocase', or other modifiers.
|
|
|
|
|
|
|
|
|
|
**Note:** ``tls.cert_issuer`` replaces the following legacy keywords: ``tls_cert_issuer`` and ``tls.issuerdn``.
|
|
|
|
|
It's recommended that rules be converted to use the new one.
|
|
|
|
|
|
|
|
|
|
tls.cert_serial
|
|
|
|
|
---------------
|
|
|
|
|
@ -186,38 +210,6 @@ Example::
|
|
|
|
|
alert tls any any -> any any (msg:"match SSLv2 and SSLv3"; \
|
|
|
|
|
ssl_version:sslv2,sslv3; sid:200031;)
|
|
|
|
|
|
|
|
|
|
tls.subject
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
Match TLS/SSL certificate Subject field.
|
|
|
|
|
|
|
|
|
|
example:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
tls.subject:"CN=*.googleusercontent.com"
|
|
|
|
|
|
|
|
|
|
Case sensitive, can't use 'nocase'.
|
|
|
|
|
|
|
|
|
|
Legacy keyword. ``tls.cert_subject`` is the replacement.
|
|
|
|
|
|
|
|
|
|
tls.issuerdn
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
match TLS/SSL certificate IssuerDN field
|
|
|
|
|
|
|
|
|
|
example:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
tls.issuerdn:!"CN=Google-Internet-Authority"
|
|
|
|
|
|
|
|
|
|
Case sensitive, can't use 'nocase'.
|
|
|
|
|
|
|
|
|
|
Legacy keyword. ``tls.cert_issuer`` is the replacement.
|
|
|
|
|
|
|
|
|
|
tls.fingerprint
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
|
Haleema Khan
3 years ago
committed by
Victor Julien