SSL/TLS Keywords
Several rule keywords to match on various properties of the TLS/SSL handshake.
All supported fields are sticky buffers and can be used with fast_pattern
.
tls.cert_subject
Matches the TLS/SSL certificate subject field.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in tls subject field"; \
tls.cert_subject; content:"Test Certificate ECDSA"; sid:1; rev:1;)
cognitix Threat Defender also supports the deprecated tls_cert_subject
keyword, but we do not recommend using it.
tls.cert_issuer
Matches the TLS/SSL certificate issuer field.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in tls issuer field"; \
tls.cert_issuer; content:"Let's Encrypt"; sid:2; rev:1;)
cognitix Threat Defender also supports the deprecated tls_cert_issuer
keyword, but we do not recommend using it.
tls.cert_fingerprint
Matches the TLS/SSL certificate fingerprint. This fingerprint is a SHA-1 digest of the whole certificate.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in tls fingerprint"; \
tls.cert_fingerprint; \
content:"54:4c:7e:23:4d:df:84:5f:75:39:42:45:5e:5f:1a:42:75:80:b3:d3"; \
sid:2; rev:1;)
The tls.cert_fingerprint
can only be used with a content
field which can
be negated.
This content
field must represent a digest which is composed of 20
two-digit groups separated by colons (:
).
cognitix Threat Defender also supports the deprecated tls_cert_fingerprint
keyword, but we do not recommend using it.
tls.fingerprint
Matches the TLS/SSL certificate fingerprint. This fingerprint is a SHA-1 digest of the whole certificate.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in tls fingerprint"; \
tls.fingerprint:"54:4c:7e:23:4d:df:84:5f:75:39:42:45:5e:5f:1a:42:75:80:b3:d3"; \
sid:3; rev:1;)
This tls.fingerpint
field must represent a digest which be composed of 20
two-digit groups separated by colons (:
).
This field can be negated.
tls.sni
Matches the TLS/SSL server name indication field.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in tls sni field"; \
tls.sni; content:"example.org"; sid:3; rev:1;)
cognitix Threat Defender also supports the deprecated tls_sni
keyword, but we do not recommend using it.
tls.certs
Does a “raw” match on each of the certificates in the TLS certificate chain.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching Algorithm Id sha256WithRSAEncryption"; \
tls.certs; content:"|2a 86 48 86 f7 0d 01 01 0b|"; sid:4; rev:1;)
tls.cert_serial
Matches the TLS/SSL certificate serial number field.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching on certificate serial number"; \
tls.cert_serial; content:"7A:8C:A6:5F:B1:AA:FC:8A:8F:96:D4:BA"; sid:5; rev:1;)
The field must represent a byte series which is composed of two-digit groups
separated by colons (:
).
cognitix Threat Defender also supports the deprecated tls_cert_serial
keyword, but we do not recommend using it.