Feature #1983
opentls: events are directionless and trigger twice per flow direction
Description
Tls events are currently not set in a direction aware way. Each event triggers twice per flow, once toserver and once toclient.
Files
VJ Updated by Victor Julien about 9 years ago
- Status changed from New to Assigned
AH Updated by Andreas Herz almost 7 years ago
I can't reproduce that with 5.0 beta anymore, can anyone confirm as well?
VJ Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Feedback
- Assignee changed from Mats Klepsland to Andreas Herz
How did you test this? (SV test?)
AH Updated by Andreas Herz over 6 years ago
I tested it with HTTPS against my systems. What scenario did you have so I can see if I can transform it into a SV test?
VJ Updated by Victor Julien over 6 years ago
- Status changed from Feedback to New
- Assignee changed from Andreas Herz to OISF Dev
- Target version changed from 70 to 6.0.0beta1
This still an issue. I can reproduce, but the only pcap I have right shouldn't actually generate an event at all.
VJ Updated by Victor Julien over 6 years ago
See pcap from #3253
AH Updated by Andreas Herz over 6 years ago
- Assignee changed from OISF Dev to Andreas Herz
AH Updated by Andreas Herz over 6 years ago
I only get one event:
{
"timestamp": "2019-10-17T08:34:15.307866+0200",
"flow_id": 276078541517555,
"pcap_cnt": 12,
"event_type": "tls",
"src_ip": "192.168.0.43",
"src_port": 58217,
"dest_ip": "52.221.74.15",
"dest_port": 443,
"proto": "TCP",
"tls": {
"subject": "OU=vd, CN=fkp.samsungcloudsolution.com",
"issuerdn": "C=KR, ST=Kyunggido, L=Suwon, O=Samsung Electronics, OU=SW2 SISC, CN=ROOT CA SISC FKP2_PLUS",
"serial": "32",
"fingerprint": "71:cd:fe:08:7f:3d:2a:18:32:69:38:fa:bd:64:7b:c6:cf:cc:44:8e",
"sni": "fkp.samsungcloudsolution.com",
"version": "TLSv1",
"ja3": {},
"ja3s": {}
}
}
With a plain default suricata.yaml
AH Updated by Andreas Herz over 6 years ago
- Status changed from New to Assigned
VJ Updated by Victor Julien over 6 years ago
Run it against rules/tls-events.rules and check the alerts. You will see alerts for both sides for the same event.
AH Updated by Andreas Herz about 6 years ago
- File dump.pcapng dump.pcapng added
I can reproduce it with that pcap from the wireshark list, is that the case you see as well? I would convert it to pcap and create a SV for it.
VJ Updated by Victor Julien almost 6 years ago
Can you create the SV test? I don't see a reason for me to first confirm it.
AH Updated by Andreas Herz almost 6 years ago
VJ Updated by Victor Julien over 5 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
AH Updated by Andreas Herz over 5 years ago
- Assignee changed from Andreas Herz to OISF Dev
PA Updated by Philippe Antoine almost 4 years ago
Having looked at this :
Indeed events are directionless
It would be a good thing to match on the direction, but it should be optional
So implementing this would be :
- either have 2 stores for events (client and server), or using one bit of u8 to have the direction.
- Making all events addition setting the direction (that is the hard part)
- Have detect-app-layer-event.c parse an optimal direction and match on it if needed
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
JI Updated by Jason Ish almost 3 years ago
- Related to Bug #4759: TCP DNS query not found when tls filter is active added
JI Updated by Jason Ish almost 3 years ago
I think this was fixed with #4759. I rebased the S-V test and gave it a run: https://github.com/jasonish/suricata-verify/actions/runs/4963447610
PA Updated by Philippe Antoine almost 3 years ago
I rebased https://github.com/OISF/suricata-verify/pull/223 and now we have 0 events instead of 2 ...
PA Updated by Philippe Antoine almost 2 years ago
- Tracker changed from Bug to Feature
VJ Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1