Bug #1893
closedtls: src_ip and dest_ip reversed in TLS events for IPS vs IDS mode.
Description
In IDS mode when making an HTTPS request (or probably any TLS request) the src_ip is client address and the dest_ip is the server address.
In IPS mode (real, or with --simulate-ips) the same request results in the src_ip being the server address and the dest_ip being the client.
These should be consistent regardless of mode.
Attached is a pcap doing a HEAD request over https to www.google.com that can show the issue with --simulate-ips.
Files
Updated by Jason Ish over 8 years ago
I guess there is also the question of whats correct. Should the src_ip be the client even if the certificate comes from the server, like in IDS mode? Or is IPS mode more correct where the src_ip is the server, where the certificate comes from?
What about client certificates, when we would see a certificate from each side?
Updated by Jason Ish over 8 years ago
- Subject changed from tls: src_ip and dest_ip reversed in IPS vs IDS mode. to tls: src_ip and dest_ip reversed in TLS events for IPS vs IDS mode.
Updated by Victor Julien over 8 years ago
Don't think client certs are handled at all currently.
Updated by Jason Ish over 8 years ago
I was testing rules/alerts to see if they behaved differently with respect to IDS and IPS mode, and they don't which is good. But I did notice this:
RULE: alert tls [10.16.1.0/24] any -> any any (msg:"TLS RULE TEST"; tls.version:"1.2"; sid:1; rev:1;)
ALERT: "src_ip":"10.16.1.11","src_port":54684,"dest_ip":"24.244.4.23","dest_port":443
RULE: alert tls any any -> [10.16.1.0/24] any (msg:"TLS RULE TEST"; tls.version:"1.2"; sid:1; rev:1;)
ALERT: src_ip":"24.244.4.23","src_port":443,"dest_ip":"10.16.1.11","dest_port":54684
As this was in IDS mode, in both cases the TLS events was like:
event_type":"tls","src_ip":"10.16.1.11","src_port":54684,"dest_ip":"24.244.4.23","dest_port":443
The alert behaviour is consistent between IDS and IPS modes.
Tests done using https-www-google-com-head.pcap already attached.
Updated by Jason Ish over 8 years ago
Just realized that using the TLS version is probably not the best way to show this off as that would be in each direction, so I used tls.fingerprint instead. I get the same results.
I also added an "any any -> any any" rule with the finger print and I get 2 alerts, one with the client as the source and one with the server as the source.
Updated by Mats Klepsland over 8 years ago
I can confirm that we don't handle client certificates.
Shouldn't the src_ip always be the client? Since it's the one initiating the session.
Looking at how tls.fingerprint is implemented, it looks like it doesn't care about direction at all. It always try to match on the fingerprint from the server in the SSL state, even on packets from the client. Direction seems to be implemented on tls.subject and tls.issuerdn, so try using one of these keywords for testing instead. All the keywords in detect-tls.c are probably due for a reimplementation..
Updated by Jason Ish over 8 years ago
- Assignee set to Jason Ish
I can handle the direction issues...
Updated by Jason Ish over 8 years ago
- Status changed from Assigned to Closed
- Target version set to 3.2beta1
Closing, merged into master: https://github.com/inliniac/suricata/pull/2300#event-806064032