ssl_state and ssl_version

Snort features an SSL/TLS service inspector that inspects stream reassembled SSL and TLS traffic and keeps track of the records sent throughout a given session. It provides two options to rule writers, ssl_state and ssl_version, which enable checking for a specific SSL/TLS state and a specific SSL/TLS version, respectively.

These options are declared with the keyword, followed by a ':' character, and then lastly followed by one or more identifiers that are the states or versions to match. The valid identifiers are listed below in their respective sections.

Both options can also be "negated" by placing ! after the colon to check that a given SSL/TLS packet does not match a version or state.

ssl_state

The ssl_state rule option tracks the state of the SSL/TLS session. The list of states that can be matched are client_hello, server_hello, client_keyx, server_keyx, and unknown. Multiple states can be specified in a single option, via a comma separated list, and are OR-ed together, meaning that if any of them match, the rule option evaluates to true.

Format:

ssl_state:[!]{client_hello|server_hello|client_keyx|server_keyx|unknown}
          [,{client_hello|server_hello|client_keyx|server_keyx|unknown}]…;

Examples

ssl_state:client_hello;

# client_keyx OR server_keyx
ssl_state:client_keyx,server_keyx;

# NOT server_hello
ssl_state:!server_hello;

ssl_version

The ssl_version rule option tracks the specific SSL/TLS version agreed upon by the two parties. The list of versions that can be matched are sslv2, sslv3, tls1.0, tls1.1, and tls1.2. More than one identifier can be specified, via a comma separated list, and are OR-ed together, meaning that if any of them match, the rule option matches.

Format:

ssl_version:[!]{sslv2|sslv3|tls1.0|tls1.1|tls1.2}
            [,{sslv2|sslv3|tls1.0|tls1.1|tls1.2}]…;

Examples

ssl_version:sslv3;

# TLS 1.0, TLS 1.1, OR TLS 1.2
ssl_version:tls1.0,tls1.1,tls1.2;

# NOT SSLv2
ssl_version:!sslv2;