[Snort-devel] tls1.3 support for 'ssl_version' and DTLS

Joshua Kinard kumba at gentoo.org
Mon Apr 30 03:54:31 EDT 2018

Curious, with the recent release of TLS 1.3, are there plans to update the
"ssl_version" keyword to support a "tls1.3" parameter to detect it?  I looked
at trying this myself, but the kicker is that all of the SSL record flags use a
single 32-bit bitfield that has all of its bits used up in

To add a new record flag for a "tls1.3" parameter would require either
extending the bitfield to 64-bits and changing a lot of places to handle the
larger data type, or break up the bitfield into multiple 32-bit variables.  The
latter option probably is the most sensible for the long-term, but neither is a
trivial change.

Also, going through some older rulesets, I noticed that the ssl_version keyword
was used in a few cases for DTLS over UDP.  The Snort manual nor README.ssl
make mention of DTLS support.  The rules in question are since disabled (e.g.,
SID 32382), but does the SSL Preprocessor handle DTLS?  If it does, has any
thought been given to support detecting the HelloVerifyRequest phase for DTLS
1.2 and lower, or the new HelloRetryRequest for DTLS 1.3, both within the
"ssl_state" keyword?  Both are used for passing a challenge cookie given that
DTLS is used over connectionless protocols (for UDP and DCCP).

Joshua Kinard
kumba at gentoo.org
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us.  And our
lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

More information about the Snort-devel mailing list