git.ipfire.org Git - thirdparty/suricata.git/commit

author	Eric Leblond <eric@regit.org>
	Tue, 28 Jan 2014 15:54:51 +0000 (16:54 +0100)
committer	Victor Julien <victor@inliniac.net>
	Tue, 4 Feb 2014 12:41:18 +0000 (13:41 +0100)
commit	c2fcf329f09c6e0d16cebb5906244c4ecc8ba30f
tree	a5b7e4bd918ea399ba54a763ae2130242b72a557	tree
parent	385c04164b7df5ab5dadcbeac4c6afd0a022fa5b	commit \| diff

tls: fix negated match

A negated match is matching if the tested field is NULL. But as it
is not set, nor negated nor normal test must match.

Without this patch, a rule like:
alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;)
is alerting for all connections. Event if they are done on a certificate
with matching subject. This was due to the fact that tls protocol
is discovered before the handshake is complete. Thus the condition
on tls is true with a NULL tls.subject. And code was returning a
positive match in the case of a NULL subject and a signature with
a negated match.