Cisco Cisco Firepower Management Center 4000
32-51
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Extracting SSL Information from a Session
License:
Protection
You can use SSL rule keywords to invoke the Secure Sockets Layer (SSL) preprocessor and extract
information about SSL version and session state from packets in an encrypted session.
information about SSL version and session state from packets in an encrypted session.
When a client and server communicate to establish an encrypted session using SSL or Transport Layer
Security (TLS), they exchange handshake messages. Although the data transmitted in the session is
encrypted, the handshake messages are not.
Security (TLS), they exchange handshake messages. Although the data transmitted in the session is
encrypted, the handshake messages are not.
The SSL preprocessor extracts state and version information from specific handshake fields. Two fields
within the handshake indicate the version of SSL or TLS used to encrypt the session and the stage of the
handshake.
within the handshake indicate the version of SSL or TLS used to encrypt the session and the stage of the
handshake.
For more information, see the following sections:
•
•
ssl_state
License:
Protection
The
ssl_state
keyword can be used to match against state information for an encrypted session. To
check for two or more SSL versions used simultaneously, use multiple
ssl_version
keywords in a rule.
When a rule uses the
ssl_state
keyword, the rules engine invokes the SSL preprocessor to check traffic
for SSL state information.
For example, to detect an attacker’s attempt to cause a buffer overflow on a server by sending a
ClientHello
message with an overly long challenge length and too much data, you could use the
ssl_state
keyword with
client_hello
as an argument then check for abnormally large packets.
Use a comma-separated list to specify multiple arguments for the SSL state. When you list multiple
arguments, the system evaluates them using the OR operator. For example, if you specify
arguments, the system evaluates them using the OR operator. For example, if you specify
client_hello
and
server_hello
as arguments, the system evaluates the rule against traffic that has a
client_hello
OR a
server_hello
.
You can also negate any argument; for example:
!client_hello, !unknown
To ensure the connection has reached each of a set of states, multiple rules using the ssl_state rule option
should be used.
should be used.
Note that the SSL preprocessor must be enabled to allow processing of rules using the
ssl_state
keyword. When the SSL preprocessor is disabled and you enable rules that use this keyword, you are
prompted whether to enable the preprocessor when you save the policy. See
prompted whether to enable the preprocessor when you save the policy. See
The
ssl_state
keyword takes the following identifiers as arguments: