Project

General

Profile

Feature #2939

Suricata enhancements - proposals

Added by Michal Vymazal 5 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

My first proposals for suricata plugins enhancement - TLS/SSL. At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

My first proposal is to show also the Diffie-Hellman server parameters, named curve, public key, signature algorithm, signature hash algorithm hash, signature hash algorithm signature and signature length.
(signal-Screenshot_20190327_211955.png, signal-Screenshot_20190327_212101.png)

I hope - this will be usable also for SSH, IKEv1, IKEv2 and IKEv3 handshake.
(IKEv1-main-Screenshot_20190424_174215.png, IKEv2_SA_INIT_Screenshot_20190424_174651.png, elasticsearch-sshv2.pdf)


Files

Screenshot_20190301_122822.png (112 KB) Screenshot_20190301_122822.png Michal Vymazal, 04/24/2019 03:34 PM
signal-Screenshot_20190327_211955.png (182 KB) signal-Screenshot_20190327_211955.png Michal Vymazal, 04/24/2019 03:35 PM
signal-Screenshot_20190327_212101.png (197 KB) signal-Screenshot_20190327_212101.png Michal Vymazal, 04/24/2019 03:35 PM
IKEv1-main-Screenshot_20190424_174215.png (184 KB) IKEv1-main-Screenshot_20190424_174215.png Michal Vymazal, 04/24/2019 03:49 PM
IKEv2_SA_INIT_Screenshot_20190424_174651.png (175 KB) IKEv2_SA_INIT_Screenshot_20190424_174651.png Michal Vymazal, 04/24/2019 03:50 PM
elasticsearch-sshv2.pdf (323 KB) elasticsearch-sshv2.pdf Michal Vymazal, 04/24/2019 03:50 PM

History

#1

Updated by Andreas Herz 5 months ago

I would suggest to open dedicated feature requests for each of those proposals with the details you would like to have.

#2

Updated by Michal Vymazal 5 months ago

You are right. I will try to describe each plugin enhancement separately.

#3

Updated by Michal Vymazal 5 months ago

TLS/SSL
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

The Illustrated TLS Connection
https://tls.ulfheim.net/

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH for better description.

#4

Updated by Andreas Herz 4 months ago

  • Assignee set to Michal Vymazal
  • Target version set to TBD

Also available in: Atom PDF