Feature #713
closed
tls.fingerprint - file usage
Added by Peter Manev almost 12 years ago.
Updated about 5 years ago.
Description
Now we can use tls.fingerprint like so -
tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a";
it could beneficial if we can
tls.fingerprint:!"ssl-fingerprint.file"; where could be a file containing a list of SHA1 and/or MD5 ssl cert fingerprints.
Also if a file list is used - it is helpful if more than on rule can use the file list without the file being loaded multiple times (for each rule).
- Target version set to TBD
- Related to Feature #2318: matching on large amounts of data with dynamic updates added
- Status changed from New to Closed
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0rc1
TLS fingerprint:
Blacklist:
alert tls any any -> any any (tls.cert_fingerprint; dataset:isset,bad_tls_certs, load bad_tls_certs.rep, type string; sid:3;)
Reputation:
alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_rep, >, 200, load tls_rep.rep, type string; sid:4;)
alert tls any any -> any any (tls.cert_fingerprint; datarep:tls_md5_rep, >, 200, load tls_md5_rep.rep, type md5; sid:5;)
https://github.com/OISF/suricata/pull/4166
https://suricata.readthedocs.io/en/latest/rules/datasets.html
Also available in: Atom
PDF