Rule Options

The following rule options are supported by enabling the ssl preprocessor:

    ssl_version
    ssl_state

ssl_version

The ssl_version rule option tracks the version negotiated between the endpoints of the SSL encryption. The list of version identifiers are below, and more than one identifier can be specified, via a comma separated list. Lists of identifiers are OR'ed together.

The option will match if any one of the OR'ed versions are used in the SSL connection. To check for two or more SSL versions in use simultaneously, multiple ssl_version rule options should be used.

Syntax

   ssl_version: <version-list>

   version-list = version | version , version-list
   version      = ["!"] "sslv2" | "sslv3" | "tls1.0" | "tls1.1" | "tls1.2"

Examples

   ssl_version:sslv3;
   ssl_version:tls1.0,tls1.1,tls1.2;
   ssl_version:!sslv2;

ssl_state

The ssl_state rule option tracks the state of the SSL encryption during the process of hello and key exchange. The list of states are below. More than one state can be specified, via a comma separated list, and are OR'ed together.

The option will match if the connection is currently in any one of the OR'ed states. To ensure the connection has reached each of a set of states, multiple rules using the ssl_state rule option should be used.

Syntax

   ssl_state: <state-list>

   state-list = state | state , state-list
   state      = ["!"] "client_hello" | "server_hello" | "client_keyx" | "server_keyx" | "unknown"

Examples

   ssl_state:client_hello;
   ssl_state:client_keyx,server_keyx;
   ssl_state:!server_hello;