Project

General

Profile

Actions

Bug #2050

closed

TLS rule mixes up server and client certificates

Added by Erich Lerch over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata Version 3.2.1

Trying to detect our own expired certificates with a rule as follows:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"expired certificate found"; flow:established,from_server; tls_cert_expired; tls_cert_subject;content:"mydom"; sid:1;rev:1;)

The idea behind this rule was to detect server certs. Now the alert triggered on a client cert (2-way SSL), and the alert output was mixed (server/client cert data):

...
  "tls": {
    "subject": "<subject_from_SERVER_cert>",
    "issuerdn": "<issuer_from_SERVER_cert>",
    "fingerprint": "<fingerprint_from_SERVER_cert>",
    "version": "TLS 1.2",
    "notbefore": "<date_from_CLIENT_cert>",
    "notafter": "<date_from_CLIENT_cert>" 
  },
...

Given he rule (traffic direction), I would have expected the client cert not to be considered here.
The client certificate DID have a matching tls_cert_subject in this case, though. I still consider it to be a bug (detection and mixed up logging).

Actions #1

Updated by Mats Klepsland over 5 years ago

Is it possible for you to recreate this, capture a pcap of the traffic and share it? You can share it privately if you like.

That would greatly simplify debugging this issue :)

Thanks for reporting the bug!

Actions #2

Updated by Mats Klepsland over 5 years ago

I think I just located the bug, but I will have to do some more testing before I can confirm this.

Actions #3

Updated by Erich Lerch over 5 years ago

PCAP sent to your gmail. Thanks!

Actions #4

Updated by Mats Klepsland over 5 years ago

I can confirm that I've managed to reproduce the bug with the pcap you sent.

Actions #5

Updated by Mats Klepsland over 5 years ago

  • Assignee set to Mats Klepsland

Submitted pull requests [1][2] to fix the bug.

[1] https://github.com/inliniac/suricata/pull/2599
[2] https://github.com/inliniac/suricata/pull/2600 (backport to 3.2.x)

Actions #6

Updated by Andreas Herz over 5 years ago

  • Target version set to TBD
Actions #7

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Target version changed from TBD to 70
Actions #8

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 4.0.1
Actions

Also available in: Atom PDF