Project

General

Profile

Actions

Bug #2393

open

One way TLS traffic not properly identified

Added by Austin Taylor almost 5 years ago. Updated about 3 years ago.

Status:
Assigned
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata does not properly identify TLS traffic that only has one-way communication. Bro seems to properly identify the traffic and extract the TLS fields, but Suricata does not. I've tried using both netflow and flow, but both were unsuccessful in identifying the attached PCAP as TLS.


Files

ssl_not_identified_by_suricata.pcap (4.13 KB) ssl_not_identified_by_suricata.pcap PCAP not identified as SSL by Suricata Austin Taylor, 01/03/2018 08:54 AM
ssl_identified_by_bro_not_suricata.png (160 KB) ssl_identified_by_bro_not_suricata.png Bro SSL identification Austin Taylor, 01/03/2018 08:54 AM

Related issues 1 (1 open0 closed)

Related to Task #2278: tracking: failing betterNewOISF DevActions
Actions #1

Updated by Victor Julien almost 5 years ago

  • File deleted (ssl_not_parsing.pcap)
Actions #2

Updated by Victor Julien almost 5 years ago

  • File deleted (Screen Shot 2017-12-21 at 4.14.51 AM.png)
Actions #3

Updated by Victor Julien almost 5 years ago

  • File deleted (Screen Shot 2017-12-21 at 4.15.26 AM.png)
Actions #4

Updated by Victor Julien almost 5 years ago

  • File deleted (Screen Shot 2017-12-21 at 4.15.50 AM.png)
Actions #5

Updated by Victor Julien almost 5 years ago

  • Assignee deleted (Victor Julien)
  • Priority changed from Urgent to Normal

Files deleted on Austins request.

Actions #6

Updated by Andreas Herz over 4 years ago

  • Assignee set to Austin Taylor
  • Target version set to TBD

Do we have enough details for that issue?

Actions #8

Updated by Austin Taylor over 4 years ago

Andreas, please see attached files. Please let me know if you need additional information.

Actions #9

Updated by Victor Julien over 3 years ago

  • Related to Task #2278: tracking: failing better added
Actions #10

Updated by Victor Julien over 3 years ago

Actions #11

Updated by Victor Julien over 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from Austin Taylor to Mats Klepsland

With --set stream.async-oneside=true the flow record does show the app_proto as tls, but I get no tls records.

Actions #12

Updated by Andreas Herz about 3 years ago

Mats can you take a look into that?

Actions #13

Updated by Philippe Antoine about 3 years ago

What kind of logs are you looking for ?
eve.json ? tls.log ?

For both of these, they require a certificate to log something.
And this is not the case in this pcap as it is client side only.

I confirm that with --set stream.async-oneside=true the TLS app layer is indeed recognized and parsed

Code is in log-tlslog.c (and similar test in output-json-tls.c) :

    if (((hlog->flags & LOG_TLS_SESSION_RESUMPTION) == 0 ||
            (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0) &&
            (ssl_state->server_connp.cert0_issuerdn == NULL ||
            ssl_state->server_connp.cert0_subject == NULL) &&
            ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
        return 0;
    }

Actions #14

Updated by Philippe Antoine about 3 years ago

Actions

Also available in: Atom PDF