6.15. SSL/TLS Keywords¶

Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.

6.15.1. tls.cert_subject¶

Match TLS/SSL certificate Subject field.

Examples:

tls.cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
tls.cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";

tls.cert_subject is a ‘sticky buffer’.

tls.cert_subject can be used as fast_pattern.

tls.cert_subject replaces the previous keyword name: tls_cert_subject. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.15.2. tls.cert_issuer¶

Match TLS/SSL certificate Issuer field.

Examples:

tls.cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
tls.cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";

tls.cert_issuer is a ‘sticky buffer’.

tls.cert_issuer can be used as fast_pattern.

tls.cert_issuer replaces the previous keyword name: tls_cert_issuer. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.15.3. tls.cert_serial¶

Match on the serial number in a certificate.

Example:

alert tls any any -> any any (msg:"match cert serial"; \
  tls.cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)

tls.cert_serial is a ‘sticky buffer’.

tls.cert_serial can be used as fast_pattern.

tls.cert_serial replaces the previous keyword name: tls_cert_serial. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.15.4. tls.cert_fingerprint¶

Match on the SHA-1 fingerprint of the certificate.

Example:

alert tls any any -> any any (msg:"match cert fingerprint"; \
  tls.cert_fingerprint; \
  content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; \
  sid:200023;)

tls.cert_fingerprint is a ‘sticky buffer’.

tls.cert_fingerprint can be used as fast_pattern.

tls.cert_fingerprint replaces the previous keyword name: tls_cert_fingerprint may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.15.5. tls.sni¶

Match TLS/SSL Server Name Indication field.

Examples:

tls.sni; content:"oisf.net"; nocase; isdataat:!1,relative;
tls.sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/";

tls.sni is a ‘sticky buffer’.

tls.sni can be used as fast_pattern.

tls.sni replaces the previous keyword name: tls_sni. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.15.6. tls_cert_notbefore¶

Match on the NotBefore field in a certificate.

Example:

alert tls any any -> any any (msg:"match cert NotBefore"; \
  tls_cert_notbefore:1998-05-01<>2008-05-01; sid:200005;)

6.15.7. tls_cert_notafter¶

Match on the NotAfter field in a certificate.

Example:

alert tls any any -> any any (msg:"match cert NotAfter"; \
  tls_cert_notafter:>2015; sid:200006;)

6.15.8. tls_cert_expired¶

Match returns true if certificate is expired. It evaluates the validity date from the certificate.

Usage:

tls_cert_expired;

6.15.9. tls_cert_valid¶

Match returns true if certificate is not expired. It only evaluates the validity date. It does not do cert chain validation. It is the opposite of tls_cert_expired.

Usage:

tls_cert_valid;

6.15.10. tls.certs¶

Do a “raw” match on each of the certificates in the TLS certificate chain.

Example:

alert tls any any -> any any (msg:"match bytes in TLS cert"; tls.certs; \
  content:"|06 09 2a 86|"; sid:200070;)

tls.certs is a ‘sticky buffer’.

tls.certs can be used as fast_pattern.

6.15.11. tls.version¶

Match on negotiated TLS/SSL version.

Supported values: “1.0”, “1.1”, “1.2”, “1.3”

It is also possible to match versions using a hex string.

Examples:

tls.version:1.2;
tls.version:0x7f12;

The first example matches TLSv1.2, whilst the last example matches TLSv1.3 draft 16.

6.15.12. ssl_version¶

Match version of SSL/TLS record.

Supported values “sslv2”, “sslv3”, “tls1.0”, “tls1.1”, “tls1.2”, “tls1.3”

Example:

alert tls any any -> any any (msg:"match TLSv1.2"; \
  ssl_version:tls1.2; sid:200030;)

It is also possible to match on several versions at the same time.

Example:

alert tls any any -> any any (msg:"match SSLv2 and SSLv3"; \
  ssl_version:sslv2,sslv3; sid:200031;)

6.15.13. tls.subject¶

Match TLS/SSL certificate Subject field.

example:

tls.subject:"CN=*.googleusercontent.com"

Case sensitive, can’t use ‘nocase’.

Legacy keyword. tls.cert_subject is the replacement.

6.15.14. tls.issuerdn¶

match TLS/SSL certificate IssuerDN field

example:

tls.issuerdn:!"CN=Google-Internet-Authority"

Case sensitive, can’t use ‘nocase’.

Legacy keyword. tls.cert_issuer is the replacement.

6.15.15. tls.fingerprint¶

match TLS/SSL certificate SHA1 fingerprint

example:

tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a"

Case sensitive, can’t use ‘nocase’.

The tls.fingerprint buffer is lower case so you must use lower case letters for this to match.

6.15.16. tls.store¶

store TLS/SSL certificate on disk

6.15.17. ssl_state¶

The ssl_state keyword matches the state of the SSL connection. The possible states are client_hello, server_hello, client_keyx, server_keyx and unknown. You can specify several states with | (OR) to check for any of the specified states.

Negation support is not available yet, see https://redmine.openinfosecfoundation.org/issues/1231