Hello all. I am fairly new to Suricata. Is there a way to write a rule to detect self-signed TLS certs?
Specifically, I would like to write a rule that looks at the Issuer Organization Name, as well as the Subject Organization Name, and then compares the entries, looking for strings that match between the two. We have a scenario where certs whose strings match between these two fields are invalid, and I want to alert on these types of certs.
I don’t know the what the content for these fields will be beforehand. However, I do know that the names in the two will match precisely.
IssuerOrganizationName=Sawianawski, Hand, and Keith
SubjectOrganizationName=Sawianawski, Hand, and Keith