|
|
|
|
@ -3,6 +3,71 @@ SSL/TLS Keywords
|
|
|
|
|
|
|
|
|
|
Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.
|
|
|
|
|
|
|
|
|
|
tls_cert_subject
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
Match TLS/SSL certificate Subject field.
|
|
|
|
|
|
|
|
|
|
Examples::
|
|
|
|
|
|
|
|
|
|
tls_cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
|
|
|
|
|
tls_cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";
|
|
|
|
|
|
|
|
|
|
``tls_cert_subject`` is a 'Sticky buffer'.
|
|
|
|
|
|
|
|
|
|
tls_cert_issuer
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
Match TLS/SSL certificate Issuer field.
|
|
|
|
|
|
|
|
|
|
Examples::
|
|
|
|
|
|
|
|
|
|
tls_cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
|
|
|
|
|
tls_cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";
|
|
|
|
|
|
|
|
|
|
``tls_cert_issuer`` is a 'Sticky buffer'.
|
|
|
|
|
|
|
|
|
|
tls_cert_notbefore
|
|
|
|
|
------------------
|
|
|
|
|
|
|
|
|
|
Match on the NotBefore field in a certificate.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert tls any any -> any any (msg:"match cert NotBefore"; \
|
|
|
|
|
tls_cert_notbefore:1998-05-01<>2008-05-01; sid:200005;)
|
|
|
|
|
|
|
|
|
|
tls_cert_notafter
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
Match on the NotAfter field in a certificate.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert tls any any -> any any (msg:"match cert NotAfter"; \
|
|
|
|
|
tls_cert_notafter:>2015; sid:200006;)
|
|
|
|
|
|
|
|
|
|
tls_cert_expired
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
Match returns true if certificate is expired. It evaluates the validity date
|
|
|
|
|
from the certificate.
|
|
|
|
|
|
|
|
|
|
Usage::
|
|
|
|
|
|
|
|
|
|
tls_cert_expired;
|
|
|
|
|
|
|
|
|
|
tls_cert_valid
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
Match returns true if certificate is not expired. It only evaluates the
|
|
|
|
|
validity date. It does *not* do cert chain validation. It is the opposite
|
|
|
|
|
of ``tls_cert_expired``.
|
|
|
|
|
|
|
|
|
|
Usage::
|
|
|
|
|
|
|
|
|
|
tls_cert_valid;
|
|
|
|
|
|
|
|
|
|
tls.version
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
@ -28,6 +93,8 @@ Support added in Suricata version 1.3.
|
|
|
|
|
|
|
|
|
|
Case sensitve, can't use 'nocase'.
|
|
|
|
|
|
|
|
|
|
Legacy keyword. ``tls_cert_subject`` is the replacement.
|
|
|
|
|
|
|
|
|
|
tls.issuerdn
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
@ -44,6 +111,8 @@ Support added in Suricata version 1.3.
|
|
|
|
|
|
|
|
|
|
Case sensitve, can't use 'nocase'.
|
|
|
|
|
|
|
|
|
|
Legacy keyword. ``tls_cert_issuer`` is the replacement.
|
|
|
|
|
|
|
|
|
|
tls.fingerprint
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
@ -77,3 +146,4 @@ are ``client_hello``, ``server_hello``, ``client_keyx``, ``server_keyx`` and ``u
|
|
|
|
|
You can specify several states with ``|`` (OR) to check for any of the specified states.
|
|
|
|
|
|
|
|
|
|
Negation support is not available yet, see https://redmine.openinfosecfoundation.org/issues/1231
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
9 years ago