Project

General

Profile

Actions

Feature #5234

closed

SSL/TLS Sticky Buffer for subjectAltName

Added by Genina Po over 2 years ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Hi Team,

Does Suricata support parsing subjectAltName data into a SSL/TLS sticky buffer? If not, it would be a nice feature to have if the subjectAltName is present in SSL/TLS certificate or in the X509 extension.

The attached .pcap may be used to test this feature request.

Please note there is an observed inconsistency with how the subjectAltName is being parsed amongst Suricata engine versions.

If Suricata 6+ is used on the attached .pcap, the subjectAltName is parsed:
Suri7

issuerdn       C=XX, CN=mamzon.ru, L=XX, O=XX, OU=XX, ST=XX, Email=webmaster@mamzon.ru, subjectAltName=*.mamzon.ru www.mamzon.ru
sample: d08f862fc5830ad381db2027c10823c5

If Suricata 5 and below are used, the subjectAltName is not parsed:
Suri5

'issuerdn': 'C=XX, CN=mamzon.ru/L=XX/O=XX/OU=XX/ST=XX/emailAddress=webmaster@mamzon.ru/unknown=*.mamzon.ru www.mamzon.ru',


Files

d08f862fc5830ad381db2027c10823c5.pcap (1.53 MB) d08f862fc5830ad381db2027c10823c5.pcap Genina Po, 04/06/2022 11:22 PM
414db0257c6eb46.pcap (2.79 KB) 414db0257c6eb46.pcap Brandon Murphy, 04/03/2024 01:19 PM

Related issues 2 (1 open1 closed)

Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Related to Suricata - Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5NameClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF