Feature #1983
opentls: events are directionless and trigger twice per flow direction
Description
Tls events are currently not set in a direction aware way. Each event triggers twice per flow, once toserver and once toclient.
Files
Updated by Andreas Herz over 5 years ago
I can't reproduce that with 5.0 beta anymore, can anyone confirm as well?
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Feedback
- Assignee changed from Mats Klepsland to Andreas Herz
How did you test this? (SV test?)
Updated by Andreas Herz about 5 years ago
I tested it with HTTPS against my systems. What scenario did you have so I can see if I can transform it into a SV test?
Updated by Victor Julien about 5 years ago
- Status changed from Feedback to New
- Assignee changed from Andreas Herz to OISF Dev
- Target version changed from 70 to 6.0.0beta1
This still an issue. I can reproduce, but the only pcap I have right shouldn't actually generate an event at all.
Updated by Andreas Herz about 5 years ago
- Assignee changed from OISF Dev to Andreas Herz
Updated by Andreas Herz about 5 years ago
I only get one event:
{ "timestamp": "2019-10-17T08:34:15.307866+0200", "flow_id": 276078541517555, "pcap_cnt": 12, "event_type": "tls", "src_ip": "192.168.0.43", "src_port": 58217, "dest_ip": "52.221.74.15", "dest_port": 443, "proto": "TCP", "tls": { "subject": "OU=vd, CN=fkp.samsungcloudsolution.com", "issuerdn": "C=KR, ST=Kyunggido, L=Suwon, O=Samsung Electronics, OU=SW2 SISC, CN=ROOT CA SISC FKP2_PLUS", "serial": "32", "fingerprint": "71:cd:fe:08:7f:3d:2a:18:32:69:38:fa:bd:64:7b:c6:cf:cc:44:8e", "sni": "fkp.samsungcloudsolution.com", "version": "TLSv1", "ja3": {}, "ja3s": {} } }
With a plain default suricata.yaml
Updated by Victor Julien about 5 years ago
Run it against rules/tls-events.rules and check the alerts. You will see alerts for both sides for the same event.
Updated by Andreas Herz almost 5 years ago
- File dump.pcapng dump.pcapng added
I can reproduce it with that pcap from the wireshark list, is that the case you see as well? I would convert it to pcap and create a SV for it.
Updated by Victor Julien over 4 years ago
Can you create the SV test? I don't see a reason for me to first confirm it.
Updated by Andreas Herz over 4 years ago
Updated by Victor Julien over 4 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
Updated by Andreas Herz over 4 years ago
- Assignee changed from Andreas Herz to OISF Dev
Updated by Philippe Antoine over 2 years ago
Having looked at this :
Indeed events are directionless
It would be a good thing to match on the direction, but it should be optional
So implementing this would be :
- either have 2 stores for events (client and server), or using one bit of u8 to have the direction.
- Making all events addition setting the direction (that is the hard part)
- Have detect-app-layer-event.c
parse an optimal direction and match on it if needed
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Jason Ish over 1 year ago
- Related to Bug #4759: TCP DNS query not found when tls filter is active added
Updated by Jason Ish over 1 year ago
I think this was fixed with #4759. I rebased the S-V test and gave it a run: https://github.com/jasonish/suricata-verify/actions/runs/4963447610
Updated by Philippe Antoine over 1 year ago
I rebased https://github.com/OISF/suricata-verify/pull/223 and now we have 0 events instead of 2 ...