documentation: sticky buffer updates

This changeset updates the userguide for the TLS and JA3
keywords that have been renamed from <id>_<name> to <id.name>
pull/3818/head
Jeff Lucovsky 6 years ago committed by Victor Julien
parent 7f102d95b6
commit 97fc7c1e1a

@ -5,7 +5,7 @@ Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 i
JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
ja3_hash
ja3.hash
--------
Match on JA3 hash (md5).
@ -13,14 +13,18 @@ Match on JA3 hash (md5).
Example::
alert tls any any -> any any (msg:"match JA3 hash"; \
ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
sid:100001;)
``ja3_hash`` is a 'Sticky buffer'.
``ja3.hash`` is a 'Sticky buffer'.
``ja3_hash`` can be used as ``fast_pattern``.
``ja3.hash`` can be used as ``fast_pattern``.
ja3_string
``ja3.hash`` replaces the previous keyword name: ``ja3_hash``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
ja3.string
----------
Match on JA3 string.
@ -28,9 +32,13 @@ Match on JA3 string.
Example::
alert tls any any -> any any (msg:"match JA3 string"; \
ja3_string; content:"19-20-21-22"; \
ja3.string; content:"19-20-21-22"; \
sid:100002;)
``ja3_string`` is a 'Sticky buffer'.
``ja3.string`` is a 'Sticky buffer'.
``ja3.string`` can be used as ``fast_pattern``.
``ja3_string`` can be used as ``fast_pattern``.
``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.

@ -3,35 +3,43 @@ SSL/TLS Keywords
Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.
tls_cert_subject
tls.cert_subject
----------------
Match TLS/SSL certificate Subject field.
Examples::
tls_cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
tls_cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";
tls.cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
tls.cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";
``tls_cert_subject`` is a 'Sticky buffer'.
``tls.cert_subject`` is a 'Sticky buffer'.
``tls_cert_subject`` can be used as ``fast_pattern``.
``tls.cert_subject`` can be used as ``fast_pattern``.
tls_cert_issuer
``tls.cert_subject`` replaces the previous keyword name: ``tls_cert_subject``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls.cert_issuer
---------------
Match TLS/SSL certificate Issuer field.
Examples::
tls_cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
tls_cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";
tls.cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
tls.cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";
``tls.cert_issuer`` is a 'Sticky buffer'.
``tls_cert_issuer`` is a 'Sticky buffer'.
``tls.cert_issuer`` can be used as ``fast_pattern``.
``tls_cert_issuer`` can be used as ``fast_pattern``.
``tls.cert_issuer`` replaces the previous keyword name: ``tls_cert_issuer``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls_cert_serial
tls.cert_serial
---------------
Match on the serial number in a certificate.
@ -39,13 +47,17 @@ Match on the serial number in a certificate.
Example::
alert tls any any -> any any (msg:"match cert serial"; \
tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
tls.cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
``tls.cert_serial`` is a 'Sticky buffer'.
``tls_cert_serial`` is a 'Sticky buffer'.
``tls.cert_serial`` can be used as ``fast_pattern``.
``tls_cert_serial`` can be used as ``fast_pattern``.
``tls.cert_serial`` replaces the previous keyword name: ``tls_cert_serial``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls_cert_fingerprint
tls.cert_fingerprint
--------------------
Match on the SHA-1 fingerprint of the certificate.
@ -53,27 +65,35 @@ Match on the SHA-1 fingerprint of the certificate.
Example::
alert tls any any -> any any (msg:"match cert fingerprint"; \
tls_cert_fingerprint; \
tls.cert_fingerprint; \
content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; \
sid:200023;)
``tls_cert_fingerprint`` is a 'Sticky buffer'.
``tls.cert_fingerprint`` is a 'Sticky buffer'.
``tls_cert_fingerprint`` can be used as ``fast_pattern``.
``tls.cert_fingerprint`` can be used as ``fast_pattern``.
tls_sni
``tls.cert_fingerprint`` replaces the previous keyword name: ``tls_cert_fingerprint`` may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls.sni
-------
Match TLS/SSL Server Name Indication field.
Examples::
tls_sni; content:"oisf.net"; nocase; isdataat:!1,relative;
tls_sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/";
tls.sni; content:"oisf.net"; nocase; isdataat:!1,relative;
tls.sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/";
``tls.sni`` is a 'Sticky buffer'.
``tls_sni`` is a 'Sticky buffer'.
``tls.sni`` can be used as ``fast_pattern``.
``tls_sni`` can be used as ``fast_pattern``.
``tls.sni`` replaces the previous keyword name: ``tls_sni``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls_cert_notbefore
------------------
@ -166,7 +186,7 @@ example:
Case sensitive, can't use 'nocase'.
Legacy keyword. ``tls_cert_subject`` is the replacement.
Legacy keyword. ``tls.cert_subject`` is the replacement.
tls.issuerdn
------------
@ -182,7 +202,7 @@ example:
Case sensitive, can't use 'nocase'.
Legacy keyword. ``tls_cert_issuer`` is the replacement.
Legacy keyword. ``tls.cert_issuer`` is the replacement.
tls.fingerprint
---------------

Loading…
Cancel
Save