Project

General

Profile

Actions

Bug #1983

open

tls: events are directionless and trigger twice per flow direction

Added by Victor Julien almost 5 years ago. Updated about 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tls events are currently not set in a direction aware way. Each event triggers twice per flow, once toserver and once toclient.


Files

dump.pcapng (294 KB) dump.pcapng Andreas Herz, 02/03/2020 09:07 PM
Actions #1

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
Actions #2

Updated by Andreas Herz about 2 years ago

I can't reproduce that with 5.0 beta anymore, can anyone confirm as well?

Actions #3

Updated by Victor Julien almost 2 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from Mats Klepsland to Andreas Herz

How did you test this? (SV test?)

Actions #4

Updated by Andreas Herz almost 2 years ago

I tested it with HTTPS against my systems. What scenario did you have so I can see if I can transform it into a SV test?

Actions #5

Updated by Victor Julien almost 2 years ago

  • Status changed from Feedback to New
  • Assignee changed from Andreas Herz to OISF Dev
  • Target version changed from 70 to 6.0.0beta1

This still an issue. I can reproduce, but the only pcap I have right shouldn't actually generate an event at all.

Actions #6

Updated by Victor Julien almost 2 years ago

See pcap from #3253

Actions #7

Updated by Andreas Herz almost 2 years ago

  • Assignee changed from OISF Dev to Andreas Herz
Actions #8

Updated by Andreas Herz almost 2 years ago

I only get one event:

{
  "timestamp": "2019-10-17T08:34:15.307866+0200",
  "flow_id": 276078541517555,
  "pcap_cnt": 12,
  "event_type": "tls",
  "src_ip": "192.168.0.43",
  "src_port": 58217,
  "dest_ip": "52.221.74.15",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "subject": "OU=vd, CN=fkp.samsungcloudsolution.com",
    "issuerdn": "C=KR, ST=Kyunggido, L=Suwon, O=Samsung Electronics, OU=SW2 SISC, CN=ROOT CA SISC FKP2_PLUS",
    "serial": "32",
    "fingerprint": "71:cd:fe:08:7f:3d:2a:18:32:69:38:fa:bd:64:7b:c6:cf:cc:44:8e",
    "sni": "fkp.samsungcloudsolution.com",
    "version": "TLSv1",
    "ja3": {},
    "ja3s": {}
  }
}

With a plain default suricata.yaml

Actions #9

Updated by Andreas Herz almost 2 years ago

  • Status changed from New to Assigned
Actions #10

Updated by Victor Julien almost 2 years ago

Run it against rules/tls-events.rules and check the alerts. You will see alerts for both sides for the same event.

Actions #11

Updated by Andreas Herz over 1 year ago

I can reproduce it with that pcap from the wireshark list, is that the case you see as well? I would convert it to pcap and create a SV for it.

Actions #12

Updated by Victor Julien over 1 year ago

Can you create the SV test? I don't see a reason for me to first confirm it.

Actions #14

Updated by Victor Julien about 1 year ago

  • Target version changed from 6.0.0beta1 to 7.0rc1
Actions #15

Updated by Andreas Herz about 1 year ago

  • Assignee changed from Andreas Herz to OISF Dev
Actions

Also available in: Atom PDF