Actions
Bug #3065
opentls_cert_XX keywords date format parsing error
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Description
Summary¶
- For tls_cert_XXX keywords, the "YYYY" date format is not supported.
Details¶
- Issue
- The date format of the tls_cert_XXX keywords do not support the format "[<|>]YYYY"
- Thus Suricata can't detect such conditions.
- Related manual section
- Cause
- detect-tls-cert-validity.c : DateStringToEpoch()
In this function, the YYYY format do not exist in the pattern list.
Furthermore, since integer values are converted ahead of pattern checking,
patterns like YYYY are converted to time_t and do not throw error. - ex) tls_cert_notafter:<2019
=> epoch = 2019 (if was intended, should be a time_t value of year 2019)
- detect-tls-cert-validity.c : DateStringToEpoch()
- How to Fix
- Add the YYYY format to the pattern list
- remove/move the integer convertion section
Actions