Snort features an SSL/TLS service inspector that inspects stream reassembled SSL and TLS traffic and keeps track of the records sent throughout a given session. It provides two options to rule writers,
ssl_version, which enable checking for a specific SSL/TLS state and a specific SSL/TLS version, respectively.
These options are declared with the keyword, followed by a ':' character, and then lastly followed by one or more identifiers that are the states or versions to match. The valid identifiers are listed below in their respective sections.
Both options can also be "negated" by placing
! after the colon to check that a given SSL/TLS packet does not match a version or state.
ssl_state rule option tracks the state of the SSL/TLS session. The list of states that can be matched are
unknown. Multiple states can be specified in a single option, via a comma separated list, and are
OR-ed together, meaning that if any of them match, the rule option evaluates to true.
# client_keyx OR server_keyx ssl_state:client_keyx,server_keyx;
# NOT server_hello ssl_state:!server_hello;
ssl_version rule option tracks the specific SSL/TLS version agreed upon by the two parties. The list of versions that can be matched are
tls1.2. More than one identifier can be specified, via a comma separated list, and are
OR-ed together, meaning that if any of them match, the rule option matches.
# TLS 1.0, TLS 1.1, OR TLS 1.2 ssl_version:tls1.0,tls1.1,tls1.2;
# NOT SSLv2 ssl_version:!sslv2;