mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
71 lines
1.1 KiB
ReStructuredText
71 lines
1.1 KiB
ReStructuredText
TLS-keywords
|
|
============
|
|
|
|
Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.
|
|
|
|
tls.version
|
|
-----------
|
|
|
|
Match on negotiated TLS/SSL version.
|
|
|
|
Example values: "1.0", "1.1", "1.2"
|
|
|
|
Support added in Suricata version 1.3.
|
|
|
|
tls.subject
|
|
-----------
|
|
|
|
Match TLS/SSL certificate Subject field.
|
|
|
|
example:
|
|
|
|
|
|
::
|
|
|
|
tls.subject:"CN=*.googleusercontent.com"
|
|
|
|
Support added in Suricata version 1.3.
|
|
|
|
Case sensitve, can't use 'nocase'.
|
|
|
|
tls.issuerdn
|
|
------------
|
|
|
|
match TLS/SSL certificate IssuerDN field
|
|
|
|
example:
|
|
|
|
|
|
::
|
|
|
|
tls.issuerdn:!"CN=Google-Internet-Authority"
|
|
|
|
Support added in Suricata version 1.3.
|
|
|
|
Case sensitve, can't use 'nocase'.
|
|
|
|
tls.fingerprint
|
|
---------------
|
|
|
|
match TLS/SSL certificate SHA1 fingerprint
|
|
|
|
example:
|
|
|
|
|
|
::
|
|
|
|
tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a"
|
|
|
|
Support added in Suricata version 1.4.
|
|
|
|
Case sensitive, can't use 'nocase'.
|
|
|
|
The tls.fingerprint buffer is lower case so you must use lower case letters for this to match.
|
|
|
|
tls.store
|
|
---------
|
|
|
|
store TLS/SSL certificate on disk
|
|
|
|
Support added in Suricata version 1.4.
|