From c6134e007e0785bc9a3ef5b524fd03adf7fa2c09 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 12 Oct 2016 12:30:19 +0200 Subject: [PATCH] doc: app-layer tls including no-reassemble --- doc/userguide/configuration/suricata-yaml.rst | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 9701df4156..ab04dc1d00 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -2133,6 +2133,47 @@ see :doc:`../performance/packet-profiling`. Application layers ------------------ +SSL/TLS +~~~~~~~ + +SSL/TLS parsers track encrypted SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 +sessions. + +Protocol detection is done using patterns and a probing parser running +on only TCP/443 by default. The pattern based protocol detection is +port independent. + +:: + + tls: + enabled: yes + detection-ports: + dp: 443 + + # Completely stop processing TLS/SSL session after the handshake + # completed. If bypass is enabled this will also trigger flow + # bypass. If disabled (the default), TLS/SSL session is still + # tracked for Heartbleed and other anomalies. + #no-reassemble: yes + +Encrypted traffic +^^^^^^^^^^^^^^^^^ + +There is no decryption of encrypted traffic, so once the handshake is complete +continued tracking of the session is of limited use. The ``no-reassemble`` +option controls the behaviour after the handshake. + +If ``no-reassemble`` is set to ``true``, all processing of this session is +stopped. No further parsing and inspection happens. If ``bypass`` is enabled +this will lead to the flow being bypassed, either inside Suricata or by the +capture method if it supports it. + +If ``no-reassemble`` is set to ``false``, which is the default, Suricata will +continue to track the SSL/TLS session. Inspection will be limited, as +``content`` inspection will still be disabled. There is no point in doing +pattern matching on traffic known to be encrypted. Inspection for (encrypted) +Heartbleed and other protocol anomalies still happens. + Modbus ~~~~~~ -- 2.47.2