Extended decoding of TLS - cipher suites etc

Nigel_Jones · May 2, 2024, 6:15pm

Rather a suricata newbie, but I was wondering if suricata could help me understand more about traffic on my home lan - specifically in terms of TLS ciphers and key exchange mechanisms.

I came across a proposal from many years ago at TLS keyword expansion - Suricata - Open Information Security Foundation which proposed new keywords to make it easier to determine more about the details of the cipher suite or key exchange algorithm being negotiated on a TLS connection.

It doesn’t seem as if this progressed – are there any public rulesets offering this kind of detection?

satta · May 3, 2024, 8:55am

I think this should indeed best be done by adding this functionality (keywords and logging) to Suricata itself. I don’t really think public rulesets can provide a truly equivalent result.

There is a ticket assigned (Feature #1766: TLS keyword expansion - Suricata - Open Information Security Foundation) but it does not look like there’s been much progress in the meantime.

Nigel_Jones · May 3, 2024, 3:12pm

Does seem like that. The link I mentioned really seemed to summarise well what I’d just been thinking ‘ I wish’.

Could be a useful tool in assessing use of different crypto especially as we consider the move to quantum safe cryptography

Topic		Replies	Views
Suricata with SSL Decryption Help ips	7	2315	March 20, 2023
Bypassing encrypted traffic does not seem to work Help	8	1740	December 10, 2021
June's webinar: Adding new rule keywords to Suricata: Live coding session Announcements webinar	3	764	June 20, 2023
Query on WebSocket Protocol Decoding Support in Suricata 7 Help suricata	1	342	November 15, 2023
How can I analyze SSL traffic? I have the private key Help	1	938	June 30, 2022

Extended decoding of TLS - cipher suites etc

Related topics