I'm using this rule to skip suricata tls processing on a known SSL cert:
pass tls any any <> any any (msg:"known good mydomain cert"; tls.fingerprint:"40:.(trimmed for serverfault).:8b"; sid:1000000; rev:1)
Even with that, it's falling through to the normal tls logging.
Jan 29 19:59:38 ip-10-11-12-13 suricata[17331]: {"timestamp":"2016-01-29T19:59:38.285296+0000","flow_id":139920047174784,"in_iface":"eth0","event_type":"tls","src_ip":"10.13.13.13","src_port":49479,"dest_ip":"10.11.12.13","dest_port":8443,"proto":"TCP","tls":{"subject":"C=U...CN=*.mydomain.com","issuerdn":"C=US...","fingerprint":"40:.(trimmed for serverfault).:8b","version":"TLS 1.2"}}
I have my local.rules
listed first, and I haven't changed the action-order, so pass
messages should be processed first.
Is this happening because "tls:extended: yes" is set in the config? I mean, it's logging all TLS sessions so pass
doesn't matter? If that's the case, how can I/should I log unknown/unmatched TLS traffic?
(I'm putting this in the snort
tag because there's no suricata
tag and I can't create one. I think of suricata as related to snort.)