Project

General

Profile

Actions
Copy link

Bug #2393

closed

One way TLS traffic not properly identified

Added by Austin Taylor over 6 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Mats Klepsland
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata does not properly identify TLS traffic that only has one-way communication. Bro seems to properly identify the traffic and extract the TLS fields, but Suricata does not. I've tried using both netflow and flow, but both were unsuccessful in identifying the attached PCAP as TLS.

Files

Download all files
ssl_not_identified_by_suricata.pcap (4.13 KB) ssl_not_identified_by_suricata.pcap PCAP not identified as SSL by Suricata Austin Taylor, 01/03/2018 08:54 AM
ssl_identified_by_bro_not_suricata.png (160 KB) ssl_identified_by_bro_not_suricata.png Bro SSL identification Austin Taylor, 01/03/2018 08:54 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Task #2278: tracking: failing betterNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien over 6 years ago

  • File deleted (ssl_not_parsing.pcap)
Actions
Copy link
 #2

Updated by Victor Julien over 6 years ago

  • File deleted (Screen Shot 2017-12-21 at 4.14.51 AM.png)
Actions
Copy link
 #3

Updated by Victor Julien over 6 years ago

  • File deleted (Screen Shot 2017-12-21 at 4.15.26 AM.png)
Actions
Copy link
 #4

Updated by Victor Julien over 6 years ago

  • File deleted (Screen Shot 2017-12-21 at 4.15.50 AM.png)
Actions
Copy link
 #5

Updated by Victor Julien over 6 years ago

  • Assignee deleted (Victor Julien)
  • Priority changed from Urgent to Normal

Files deleted on Austins request.

Actions
Copy link
 #6

Updated by Andreas Herz over 6 years ago

  • Assignee set to Austin Taylor
  • Target version set to TBD

Do we have enough details for that issue?

Actions
Copy link
 #8

Updated by Austin Taylor over 6 years ago

Andreas, please see attached files. Please let me know if you need additional information.

Actions
Copy link
 #9

Updated by Victor Julien about 5 years ago

  • Related to Task #2278: tracking: failing better added
Actions
Copy link
 #10

Updated by Victor Julien about 5 years ago

Actions
Copy link
 #11

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from Austin Taylor to Mats Klepsland

With --set stream.async-oneside=true the flow record does show the app_proto as tls, but I get no tls records.

Actions
Copy link
 #12

Updated by Andreas Herz over 4 years ago

Mats can you take a look into that?

Actions
Copy link
 #13

Updated by Philippe Antoine over 4 years ago

What kind of logs are you looking for ?
eve.json ? tls.log ?

For both of these, they require a certificate to log something.
And this is not the case in this pcap as it is client side only.

I confirm that with --set stream.async-oneside=true the TLS app layer is indeed recognized and parsed

Code is in log-tlslog.c (and similar test in output-json-tls.c) :

    if (((hlog->flags & LOG_TLS_SESSION_RESUMPTION) == 0 ||
            (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0) &&
            (ssl_state->server_connp.cert0_issuerdn == NULL ||
            ssl_state->server_connp.cert0_subject == NULL) &&
            ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
        return 0;
    }

Actions
Copy link
 #14

Updated by Philippe Antoine over 4 years ago

Actions
Copy link
 #15

Updated by Philippe Antoine 5 months ago

  • Status changed from Assigned to Closed

Looks like this is fixed with --set stream.async-oneside=true

Actions
Copy link

Also available in: Atom PDF