Project

General

Profile

Bug #1983

tls: events are directionless and trigger twice per flow direction

Added by Victor Julien over 4 years ago. Updated 10 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tls events are currently not set in a direction aware way. Each event triggers twice per flow, once toserver and once toclient.


Files

dump.pcapng (294 KB) dump.pcapng Andreas Herz, 02/03/2020 09:07 PM
#1

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
#2

Updated by Andreas Herz almost 2 years ago

I can't reproduce that with 5.0 beta anymore, can anyone confirm as well?

#3

Updated by Victor Julien over 1 year ago

  • Status changed from Assigned to Feedback
  • Assignee changed from Mats Klepsland to Andreas Herz

How did you test this? (SV test?)

#4

Updated by Andreas Herz over 1 year ago

I tested it with HTTPS against my systems. What scenario did you have so I can see if I can transform it into a SV test?

#5

Updated by Victor Julien over 1 year ago

  • Status changed from Feedback to New
  • Assignee changed from Andreas Herz to OISF Dev
  • Target version changed from 70 to 6.0.0beta1

This still an issue. I can reproduce, but the only pcap I have right shouldn't actually generate an event at all.

#6

Updated by Victor Julien over 1 year ago

See pcap from #3253

#7

Updated by Andreas Herz over 1 year ago

  • Assignee changed from OISF Dev to Andreas Herz
#8

Updated by Andreas Herz over 1 year ago

I only get one event:

{
  "timestamp": "2019-10-17T08:34:15.307866+0200",
  "flow_id": 276078541517555,
  "pcap_cnt": 12,
  "event_type": "tls",
  "src_ip": "192.168.0.43",
  "src_port": 58217,
  "dest_ip": "52.221.74.15",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "subject": "OU=vd, CN=fkp.samsungcloudsolution.com",
    "issuerdn": "C=KR, ST=Kyunggido, L=Suwon, O=Samsung Electronics, OU=SW2 SISC, CN=ROOT CA SISC FKP2_PLUS",
    "serial": "32",
    "fingerprint": "71:cd:fe:08:7f:3d:2a:18:32:69:38:fa:bd:64:7b:c6:cf:cc:44:8e",
    "sni": "fkp.samsungcloudsolution.com",
    "version": "TLSv1",
    "ja3": {},
    "ja3s": {}
  }
}

With a plain default suricata.yaml

#9

Updated by Andreas Herz over 1 year ago

  • Status changed from New to Assigned
#10

Updated by Victor Julien over 1 year ago

Run it against rules/tls-events.rules and check the alerts. You will see alerts for both sides for the same event.

#11

Updated by Andreas Herz over 1 year ago

I can reproduce it with that pcap from the wireshark list, is that the case you see as well? I would convert it to pcap and create a SV for it.

#12

Updated by Victor Julien about 1 year ago

Can you create the SV test? I don't see a reason for me to first confirm it.

#14

Updated by Victor Julien 11 months ago

  • Target version changed from 6.0.0beta1 to 7.0rc1
#15

Updated by Andreas Herz 10 months ago

  • Assignee changed from Andreas Herz to OISF Dev

Also available in: Atom PDF