mirror of https://github.com/OISF/suricata
cybersecurityidsintrusion-detection-systemintrusion-prevention-systemipsnetwork-monitornetwork-monitoringnsmsecuritysuricatathreat-hunting
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
c2fcf329f0
A negated match is matching if the tested field is NULL. But as it is not set, nor negated nor normal test must match. Without this patch, a rule like: alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;) is alerting for all connections. Event if they are done on a certificate with matching subject. This was due to the fact that tls protocol is discovered before the handshake is complete. Thus the condition on tls is true with a NULL tls.subject. And code was returning a positive match in the case of a NULL subject and a signature with a negated match. |
12 years ago | |
|---|---|---|
| benches | ||
| contrib | 13 years ago | |
| doc | ||
| m4 | ||
| qa | 12 years ago | |
| rules | 12 years ago | |
| scripts | 13 years ago | |
| src | 12 years ago | |
| .gitignore | 13 years ago | |
| COPYING | ||
| ChangeLog | 12 years ago | |
| LICENSE | ||
| Makefile.am | 12 years ago | |
| Makefile.cvs | ||
| acsite.m4 | ||
| autogen.sh | ||
| classification.config | ||
| config.rpath | 13 years ago | |
| configure.ac | 12 years ago | |
| doxygen.cfg | 12 years ago | |
| reference.config | ||
| suricata.yaml.in | 12 years ago | |
| threshold.config | ||