aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

documentation: sticky buffer updates

Browse Source 
This changeset updates the userguide for the TLS and JA3
keywords that have been renamed from <id>_<name> to <id.name>
pull/3818/head
Jeff Lucovsky 6 years ago committed by Victor Julien
parent 7f102d95b6
commit 97fc7c1e1a
2 changed files with 61 additions and 33 deletions
Show Stats Download Patch File Download Diff File

24
doc/userguide/rules/ja3-keywords.rst
Unescape Escape View File

@ -5,7 +5,7 @@ Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 i
JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes'). JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
ja3_hash ja3.hash
-------- --------
Match on JA3 hash (md5). Match on JA3 hash (md5).
@ -13,14 +13,18 @@ Match on JA3 hash (md5).
Example:: Example::
alert tls any any -> any any (msg:"match JA3 hash"; \ alert tls any any -> any any (msg:"match JA3 hash"; \
ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \ ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
sid:100001;) sid:100001;)
``ja3_hash`` is a 'Sticky buffer'. ``ja3.hash`` is a 'Sticky buffer'.
``ja3_hash`` can be used as ``fast_pattern``. ``ja3.hash`` can be used as ``fast_pattern``.
ja3_string ``ja3.hash`` replaces the previous keyword name: ``ja3_hash``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
ja3.string
---------- ----------
Match on JA3 string. Match on JA3 string.
@ -28,9 +32,13 @@ Match on JA3 string.
Example:: Example::
alert tls any any -> any any (msg:"match JA3 string"; \ alert tls any any -> any any (msg:"match JA3 string"; \
ja3_string; content:"19-20-21-22"; \ ja3.string; content:"19-20-21-22"; \
sid:100002;) sid:100002;)
``ja3_string`` is a 'Sticky buffer'. ``ja3.string`` is a 'Sticky buffer'.
``ja3.string`` can be used as ``fast_pattern``.
``ja3_string`` can be used as ``fast_pattern``. ``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.

70
doc/userguide/rules/tls-keywords.rst
Unescape Escape View File

@ -3,35 +3,43 @@ SSL/TLS Keywords
Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches. Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.
tls_cert_subject tls.cert_subject
---------------- ----------------
Match TLS/SSL certificate Subject field. Match TLS/SSL certificate Subject field.
Examples:: Examples::
tls_cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative; tls.cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
tls_cert_subject; content:"google.com"; nocase; pcre:"/google.com$/"; tls.cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";
``tls_cert_subject`` is a 'Sticky buffer'. ``tls.cert_subject`` is a 'Sticky buffer'.
``tls_cert_subject`` can be used as ``fast_pattern``. ``tls.cert_subject`` can be used as ``fast_pattern``.
tls_cert_issuer ``tls.cert_subject`` replaces the previous keyword name: ``tls_cert_subject``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls.cert_issuer
--------------- ---------------
Match TLS/SSL certificate Issuer field. Match TLS/SSL certificate Issuer field.
Examples:: Examples::
tls_cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative; tls.cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
tls_cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/"; tls.cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";
``tls.cert_issuer`` is a 'Sticky buffer'.
``tls_cert_issuer`` is a 'Sticky buffer'. ``tls.cert_issuer`` can be used as ``fast_pattern``.
``tls_cert_issuer`` can be used as ``fast_pattern``. ``tls.cert_issuer`` replaces the previous keyword name: ``tls_cert_issuer``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls_cert_serial tls.cert_serial
--------------- ---------------
Match on the serial number in a certificate. Match on the serial number in a certificate.
@ -39,13 +47,17 @@ Match on the serial number in a certificate.
Example:: Example::
alert tls any any -> any any (msg:"match cert serial"; \ alert tls any any -> any any (msg:"match cert serial"; \
tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;) tls.cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
``tls.cert_serial`` is a 'Sticky buffer'.
``tls_cert_serial`` is a 'Sticky buffer'. ``tls.cert_serial`` can be used as ``fast_pattern``.
``tls_cert_serial`` can be used as ``fast_pattern``. ``tls.cert_serial`` replaces the previous keyword name: ``tls_cert_serial``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls_cert_fingerprint tls.cert_fingerprint
-------------------- --------------------
Match on the SHA-1 fingerprint of the certificate. Match on the SHA-1 fingerprint of the certificate.
@ -53,27 +65,35 @@ Match on the SHA-1 fingerprint of the certificate.
Example:: Example::
alert tls any any -> any any (msg:"match cert fingerprint"; \ alert tls any any -> any any (msg:"match cert fingerprint"; \
tls_cert_fingerprint; \ tls.cert_fingerprint; \
content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; \ content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; \
sid:200023;) sid:200023;)
``tls_cert_fingerprint`` is a 'Sticky buffer'. ``tls.cert_fingerprint`` is a 'Sticky buffer'.
``tls_cert_fingerprint`` can be used as ``fast_pattern``. ``tls.cert_fingerprint`` can be used as ``fast_pattern``.
tls_sni ``tls.cert_fingerprint`` replaces the previous keyword name: ``tls_cert_fingerprint`` may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls.sni
------- -------
Match TLS/SSL Server Name Indication field. Match TLS/SSL Server Name Indication field.
Examples:: Examples::
tls_sni; content:"oisf.net"; nocase; isdataat:!1,relative; tls.sni; content:"oisf.net"; nocase; isdataat:!1,relative;
tls_sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/"; tls.sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/";
``tls.sni`` is a 'Sticky buffer'.
``tls_sni`` is a 'Sticky buffer'. ``tls.sni`` can be used as ``fast_pattern``.
``tls_sni`` can be used as ``fast_pattern``. ``tls.sni`` replaces the previous keyword name: ``tls_sni``. You may continue
to use the previous name, but it's recommended that rules be converted to use
the new name.
tls_cert_notbefore tls_cert_notbefore
------------------ ------------------
@ -166,7 +186,7 @@ example:
Case sensitive, can't use 'nocase'. Case sensitive, can't use 'nocase'.
Legacy keyword. ``tls_cert_subject`` is the replacement. Legacy keyword. ``tls.cert_subject`` is the replacement.
tls.issuerdn tls.issuerdn
------------ ------------
@ -182,7 +202,7 @@ example:
Case sensitive, can't use 'nocase'. Case sensitive, can't use 'nocase'.
Legacy keyword. ``tls_cert_issuer`` is the replacement. Legacy keyword. ``tls.cert_issuer`` is the replacement.
tls.fingerprint tls.fingerprint
--------------- ---------------

Write Preview
Loading…
Cancel
Save