git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Thu, 24 May 2018 12:56:30 +0000 (14:56 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 19 Jun 2018 10:56:56 +0000 (12:56 +0200)
commit	2d50fe499ad2ffc2df6b6fc61cb35aab6b924cb1
tree	42da94f74e70ac85eac9dd248abfdeacdcf5de5a	tree \| snapshot
parent	e6a009ae7fbce507ee2824c99ea7e352e7f221db	commit \| diff

tls: new config for dealing with encrypted traffic

Much of encrypted traffic is uninteresting to Suricata. Once encrypted
communication starts, inspecting the packet payloads is generally
not interesting anymore. The default behavior is to disable the parts
of the detection engine and stream reassembly that relate to raw content
inspection.

The tls app-layer parser also had a crude option to affect this behavior:
set 'no-reassemble' to true went much further than the default behavior.
It disabled the TCP reassembly on the flow completely, disabled all
inspection on the flow and enabled bypass if available.

This patch adds a new option: full inspection. This continues to treat
a TLS session as any other, so without any limits to inspection.

The new option is implemented in a new config option 'encrypt-handling',
that replaces 'no-reassemble'. The new option has 3 values:
'default', 'full' and 'bypass'. Default is the current default behavior,
'bypass' is the current 'no-reassemble = true' behavior and 'full'
is the new full inspection mode.