The default value for TLS encryption is generic and not precise.
The new keyword, "track-only" substitues the old keyword, being
more on point what action is actually taken when the TLS flow
reaches an encrypted state.
dp: 443
# What to do when the encrypted communications start:
- # - default: keep tracking TLS session, check for protocol anomalies,
+ # - track-only: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
# 'content' signatures.
# - bypass: stop processing this flow as much as possible. No further
#
# For best performance, select 'bypass'.
#
- #encryption-handling: default
+ #encryption-handling: track-only
Encrypted traffic
The option has replaced the ``no-reassemble`` option. If ``no-reassemble`` is
present, and ``encryption-handling`` is not, ``false`` is interpreted as
-``encryption-handling: default`` and ``true`` is interpreted as
+``encryption-handling: track-only`` and ``true`` is interpreted as
``encryption-handling: bypass``.
- The ``syslog`` output is now deprecated and will be removed in
Suricata 9.0. Note that this is the standalone ``syslog`` output and
does affect the ``eve`` outputs ability to send to syslog.
+- The ``default`` option in ``app-layer.protocols.tls.encryption-handling`` is
+ now deprecated and will be removed in Suricata 9.0. The ``track-only`` option
+ should be used instead.
Keyword changes
~~~~~~~~~~~~~~~
#define SSL_CONFIG_DEFAULT_JA4 0
enum SslConfigEncryptHandling {
- SSL_CNF_ENC_HANDLE_DEFAULT = 0, /**< disable raw content, continue tracking */
- SSL_CNF_ENC_HANDLE_BYPASS = 1, /**< skip processing of flow, bypass if possible */
- SSL_CNF_ENC_HANDLE_FULL = 2, /**< handle fully like any other proto */
+ SSL_CNF_ENC_HANDLE_TRACK_ONLY = 0, /**< disable raw content, continue tracking */
+ SSL_CNF_ENC_HANDLE_BYPASS = 1, /**< skip processing of flow, bypass if possible */
+ SSL_CNF_ENC_HANDLE_FULL = 2, /**< handle fully like any other proto */
};
typedef struct SslConfig_ {
ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_FULL;
} else if (strcmp(enc_handle->val, "bypass") == 0) {
ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_BYPASS;
+ } else if (strcmp(enc_handle->val, "track-only") == 0) {
+ ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_TRACK_ONLY;
} else if (strcmp(enc_handle->val, "default") == 0) {
- ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_DEFAULT;
+ SCLogWarning("app-layer.protocols.tls.encryption-handling = default is deprecated "
+ "and will be removed in Suricata 9, use \"track-only\" instead, "
+ "(see ticket #7642)");
+ ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_TRACK_ONLY;
} else {
- ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_DEFAULT;
+ ssl_config.encrypt_mode = SSL_CNF_ENC_HANDLE_TRACK_ONLY;
}
} else {
/* Get the value of no reassembly option from the config file */
#ja4-fingerprints: auto
# What to do when the encrypted communications start:
- # - default: keep tracking TLS session, check for protocol anomalies,
+ # - track-only: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
- # 'content' signatures.
+ # 'content' signatures. (default)
# - bypass: stop processing this flow as much as possible. No further
# TLS parsing and inspection. Offload flow bypass to kernel
# or hardware if possible.
#
# For best performance, select 'bypass'.
#
- #encryption-handling: default
+ #encryption-handling: track-only
pgsql:
enabled: no
projects / thirdparty / suricata.git / commitdiff
