Extended decoding of TLS - cipher suites etc

Rather a suricata newbie, but I was wondering if suricata could help me understand more about traffic on my home lan - specifically in terms of TLS ciphers and key exchange mechanisms.

I came across a proposal from many years ago at TLS keyword expansion - Suricata - Open Information Security Foundation which proposed new keywords to make it easier to determine more about the details of the cipher suite or key exchange algorithm being negotiated on a TLS connection.

It doesn’t seem as if this progressed – are there any public rulesets offering this kind of detection?

I think this should indeed best be done by adding this functionality (keywords and logging) to Suricata itself. I don’t really think public rulesets can provide a truly equivalent result.

There is a ticket assigned (Feature #1766: TLS keyword expansion - Suricata - Open Information Security Foundation) but it does not look like there’s been much progress in the meantime.

Does seem like that. The link I mentioned really seemed to summarise well what I’d just been thinking ‘ I wish’.

Could be a useful tool in assessing use of different crypto especially as we consider the move to quantum safe cryptography