Bug #2861
closedSuricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works
Description
This rule
alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224005; rev:1;)
Doesn't detect weak modp 1024 Diffie-Hellmann parameter
pcap file attached
- suricata --build-info
This is Suricata version 4.1.0-dev (rev 8709a20d)
Files
Updated by Victor Julien almost 6 years ago
- Assignee set to Pierre Chifflier
Pierre, could you check this one as well? Thanks!
Updated by Pierre Chifflier almost 6 years ago
Thanks for the pcap!
A first look at the code shows that internally the weak DH parameters are correctly detected (https://github.com/OISF/suricata/blob/master-4.1.x/rust/src/ikev2/ikev2.rs#L310-L311).
However, I confirm that while the transaction is created and the event is set, no alert is raised. I'm investigating further.
Note: I have found some problems with names in `rules/ipsec-events.rules`, so I'll also fix this.
Updated by Pierre Chifflier almost 6 years ago
- Status changed from New to Resolved
- the default rules in
rules/ipsec-events.rules
are testingflow:to_client
. This is not a bug, but is intentional: the server reply contains the accepted proposals, this has greater severity, for ex, than a client proposing weak DH (that can be ignored by the server). If you want to detect weak proposals, you need to either add a rule, or modify the existing one - the default rules contained wrong event names. This is fixed in proposed the PR (commit https://github.com/OISF/suricata/pull/3702/commits/d991b2d1ae470d4b6deb460e7611ae676c08324a)
- a logic bug in the transaction handling for IKEv2 caused the events raised in the first message to be ignored. This is fixed in the proposed PR (commit https://github.com/OISF/suricata/pull/3702/commits/4362525cebef90cbb834e306b5e79b48d93cf036)
Marking bug as resolved.
Updated by Victor Julien almost 6 years ago
- Copied to Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x) added