Optimization #1044
closed
TLS buffers evaluated by fast_pattern matcher.
Added by Will Metcalf almost 11 years ago.
Updated about 8 years ago.
Description
As far as I can tell tls.* buffers are not evaluated by the fast_pattern matcher. If this is correct is there a reason why this is the case? If no reason can we add them?
- Assignee deleted (
Anoop Saldanha)
- Target version set to 3.0RC2
- Target version changed from 3.0RC2 to TBD
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Mats Klepsland
- Status changed from Assigned to Closed
- Target version changed from TBD to 3.2beta1
https://github.com/inliniac/suricata/pull/2249 adds: tls_cert_issuer and tls_cert_subject, which replace tls.issuerdn and tls.subject. They are 'sticky buffers' like file_data, so all your regular matching (content/pcre/isdataat/etc) applies.
Also available in: Atom
PDF