Project

General

Profile

Actions

Bug #2861

closed

Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works

Added by Michal Vymazal almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This rule
alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224005; rev:1;)

Doesn't detect weak modp 1024 Diffie-Hellmann parameter

pcap file attached

  1. suricata --build-info
    This is Suricata version 4.1.0-dev (rev 8709a20d)

Files

IKEv2_SA_INIT_2-8-weak.pcap (308 Bytes) IKEv2_SA_INIT_2-8-weak.pcap Michal Vymazal, 03/04/2019 11:49 AM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien almost 6 years ago

  • Assignee set to Pierre Chifflier

Pierre, could you check this one as well? Thanks!

Actions #2

Updated by Pierre Chifflier almost 6 years ago

Thanks for the pcap!

A first look at the code shows that internally the weak DH parameters are correctly detected (https://github.com/OISF/suricata/blob/master-4.1.x/rust/src/ikev2/ikev2.rs#L310-L311).
However, I confirm that while the transaction is created and the event is set, no alert is raised. I'm investigating further.

Note: I have found some problems with names in `rules/ipsec-events.rules`, so I'll also fix this.

Actions #3

Updated by Pierre Chifflier almost 6 years ago

  • Status changed from New to Resolved
After investigating, I found 3 causes for the problem:
  1. the default rules in rules/ipsec-events.rules are testing flow:to_client. This is not a bug, but is intentional: the server reply contains the accepted proposals, this has greater severity, for ex, than a client proposing weak DH (that can be ignored by the server). If you want to detect weak proposals, you need to either add a rule, or modify the existing one
  2. the default rules contained wrong event names. This is fixed in proposed the PR (commit https://github.com/OISF/suricata/pull/3702/commits/d991b2d1ae470d4b6deb460e7611ae676c08324a)
  3. a logic bug in the transaction handling for IKEv2 caused the events raised in the first message to be ignored. This is fixed in the proposed PR (commit https://github.com/OISF/suricata/pull/3702/commits/4362525cebef90cbb834e306b5e79b48d93cf036)

Marking bug as resolved.

Actions #4

Updated by Victor Julien almost 6 years ago

  • Copied to Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x) added
Actions #5

Updated by Andreas Herz over 5 years ago

  • Target version set to TBD
Actions #6

Updated by Andreas Herz over 5 years ago

  • Status changed from Resolved to Closed

commits merged

Actions

Also available in: Atom PDF