I don't know why it's not being detected

I use suricata 7.0

alert tcp any any → any any (ssl_state:client_hello; tls.sni; content:“.amazon.com”:wink: >>> not detect
alert tcp any any → any any (ssl_state:client_hello; ) >>> detect ok

i don’t understand.
Can’t content keyword and ssl_state keyword be used together?
I would appreciate it if you could let me know.

Hi trymp,
can you provide a PCAP so we can help you out more?
I don’t see why they couldn’t be used together.

tls12.pcap (6.8 KB)

alert tcp any any → any any (ssl_state:client_hello; tls.sni; content:“.kldp.org”:wink: >>> not detect
alert tcp any any → any any (ssl_state:client_hello; ) >>> detect ok

Ok, I tried it and can confirm it does not detect on the first rule. Btw, next time please put your rules in complete (missing e.g. sids) and in code blocks so they are not reformatted.

alert tcp any any -> any any (msg:"sni in client hello"; ssl_state:client_hello; tls.sni; content:".kldp.org"; sid: 1;)
alert tcp any any -> any any (msg:"client hello"; ssl_state:client_hello; sid: 2;)
alert tcp any any -> any any (msg:"sni in server hello"; ssl_state:server_hello; tls.sni; content:".kldp.org"; sid: 3;)

But this to me seems like ok behavior, because, by default in IDS mode, Suricata reassembles the traffic only if it receives ack from the other side. At the time, when the client hello arrives, the contents are not inspected yet. But it is available in the server hello state.

If you plug in the rules now, it detects 2 alerts (sid 2 and 3).

However, to be able to inspect client hello contents directly, you can either use IPS mode or use IDS mode with stream.inline set to yes. Then it detects sids 1 and 2.