Project

General

Profile

Actions

Feature #1983

open

tls: events are directionless and trigger twice per flow direction

Added by Victor Julien about 8 years ago. Updated 7 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Tls events are currently not set in a direction aware way. Each event triggers twice per flow, once toserver and once toclient.


Files

dump.pcapng (294 KB) dump.pcapng Andreas Herz, 02/03/2020 09:07 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #4759: TCP DNS query not found when tls filter is activeClosedJason IshActions
Actions #1

Updated by Victor Julien almost 8 years ago

  • Status changed from New to Assigned
Actions #2

Updated by Andreas Herz over 5 years ago

I can't reproduce that with 5.0 beta anymore, can anyone confirm as well?

Actions #3

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from Mats Klepsland to Andreas Herz

How did you test this? (SV test?)

Actions #4

Updated by Andreas Herz about 5 years ago

I tested it with HTTPS against my systems. What scenario did you have so I can see if I can transform it into a SV test?

Actions #5

Updated by Victor Julien about 5 years ago

  • Status changed from Feedback to New
  • Assignee changed from Andreas Herz to OISF Dev
  • Target version changed from 70 to 6.0.0beta1

This still an issue. I can reproduce, but the only pcap I have right shouldn't actually generate an event at all.

Actions #6

Updated by Victor Julien about 5 years ago

See pcap from #3253

Actions #7

Updated by Andreas Herz about 5 years ago

  • Assignee changed from OISF Dev to Andreas Herz
Actions #8

Updated by Andreas Herz about 5 years ago

I only get one event:

{
  "timestamp": "2019-10-17T08:34:15.307866+0200",
  "flow_id": 276078541517555,
  "pcap_cnt": 12,
  "event_type": "tls",
  "src_ip": "192.168.0.43",
  "src_port": 58217,
  "dest_ip": "52.221.74.15",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "subject": "OU=vd, CN=fkp.samsungcloudsolution.com",
    "issuerdn": "C=KR, ST=Kyunggido, L=Suwon, O=Samsung Electronics, OU=SW2 SISC, CN=ROOT CA SISC FKP2_PLUS",
    "serial": "32",
    "fingerprint": "71:cd:fe:08:7f:3d:2a:18:32:69:38:fa:bd:64:7b:c6:cf:cc:44:8e",
    "sni": "fkp.samsungcloudsolution.com",
    "version": "TLSv1",
    "ja3": {},
    "ja3s": {}
  }
}

With a plain default suricata.yaml

Actions #9

Updated by Andreas Herz about 5 years ago

  • Status changed from New to Assigned
Actions #10

Updated by Victor Julien about 5 years ago

Run it against rules/tls-events.rules and check the alerts. You will see alerts for both sides for the same event.

Actions #11

Updated by Andreas Herz almost 5 years ago

I can reproduce it with that pcap from the wireshark list, is that the case you see as well? I would convert it to pcap and create a SV for it.

Actions #12

Updated by Victor Julien over 4 years ago

Can you create the SV test? I don't see a reason for me to first confirm it.

Actions #14

Updated by Victor Julien over 4 years ago

  • Target version changed from 6.0.0beta1 to 7.0.0-beta1
Actions #15

Updated by Andreas Herz over 4 years ago

  • Assignee changed from Andreas Herz to OISF Dev
Actions #16

Updated by Philippe Antoine over 2 years ago

Having looked at this :
Indeed events are directionless
It would be a good thing to match on the direction, but it should be optional

So implementing this would be :
- either have 2 stores for events (client and server), or using one bit of u8 to have the direction.
- Making all events addition setting the direction (that is the hard part)
- Have detect-app-layer-event.c parse an optimal direction and match on it if needed

Actions #17

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #18

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions #19

Updated by Jason Ish over 1 year ago

  • Related to Bug #4759: TCP DNS query not found when tls filter is active added
Actions #20

Updated by Jason Ish over 1 year ago

I think this was fixed with #4759. I rebased the S-V test and gave it a run: https://github.com/jasonish/suricata-verify/actions/runs/4963447610

Actions #21

Updated by Philippe Antoine over 1 year ago

I rebased https://github.com/OISF/suricata-verify/pull/223 and now we have 0 events instead of 2 ...

Actions #22

Updated by Philippe Antoine 7 months ago

  • Tracker changed from Bug to Feature
Actions

Also available in: Atom PDF