Rule TLS with flowbits

Hi everyone,

I have the below question on TLS rules and please do correct me if my understanding is wrong. The below is Lab at that stage.

The alert 3121989, I am using the flowbits to set the condition for content E.g “stams”. The alert 3121990 will trigger with no issues in this example when the content in TLS SNI contains “stams”.

What does not work for me - maybe i wrongly believe it should - is the reverse. To set the condition in 3121990 and trigger the alert on 3121989, after changing the necessary parts in the below rules of course. Why?

alert tls any any -> any any (msg:“Possible Phising of Domain”; flow:established,to_server; flowbits:noalert; content:”stams”; nocase; flowbits:set,Cert_Today; sid:3121989;)

alert tls any any -> any any (msg:"Possible Phising with Let’s Enrcrypt on Domain "; flow:established,from_server; tls_cert_issuer; content:“O=Let’s Encrypt”; nocase; tls_cert_notbefore:2020-10-24<>2020-07-24; flowbits:isset,Cert_Today; sid:3121990;)

Thank you

I think by writing the question i figured out the answer . The TLS SNI is seen once and the Client Hello in TLS handshake comes before the Server Hello and the Certificate part. So there is no way to alert on something that has already happened in the flow . Suricata engine has already seen that packet before the Certificate part where the Issuer is seen.

What happens if you use the tls.sni buffer with rule 3121989. So tls.sni; content:"stams";?

Hi Victor,

Thank you for your comment.

It is alerting just fine and to be fair it is more explicit than just content. Thank you for pointing that :slight_smile:

Did you had something else in mind ?
Thank you
Stams