I have the below question on TLS rules and please do correct me if my understanding is wrong. The below is Lab at that stage.
The alert 3121989, I am using the flowbits to set the condition for content E.g “stams”. The alert 3121990 will trigger with no issues in this example when the content in TLS SNI contains “stams”.
What does not work for me - maybe i wrongly believe it should - is the reverse. To set the condition in 3121990 and trigger the alert on 3121989, after changing the necessary parts in the below rules of course. Why?
alert tls any any -> any any (msg:“Possible Phising of Domain”; flow:established,to_server; flowbits:noalert; content:”stams”; nocase; flowbits:set,Cert_Today; sid:3121989;)
alert tls any any -> any any (msg:"Possible Phising with Let’s Enrcrypt on Domain "; flow:established,from_server; tls_cert_issuer; content:“O=Let’s Encrypt”; nocase; tls_cert_notbefore:2020-10-24<>2020-07-24; flowbits:isset,Cert_Today; sid:3121990;)