Project

General

Profile

Actions

Feature #2939

open

Suricata enhancements - proposals

Added by Michal Vymazal over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

My first proposals for suricata plugins enhancement - TLS/SSL. At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

My first proposal is to show also the Diffie-Hellman server parameters, named curve, public key, signature algorithm, signature hash algorithm hash, signature hash algorithm signature and signature length.
(signal-Screenshot_20190327_211955.png, signal-Screenshot_20190327_212101.png)

I hope - this will be usable also for SSH, IKEv1, IKEv2 and IKEv3 handshake.
(IKEv1-main-Screenshot_20190424_174215.png, IKEv2_SA_INIT_Screenshot_20190424_174651.png, elasticsearch-sshv2.pdf)


Files

Actions #1

Updated by Andreas Herz over 2 years ago

I would suggest to open dedicated feature requests for each of those proposals with the details you would like to have.

Actions #2

Updated by Michal Vymazal over 2 years ago

You are right. I will try to describe each plugin enhancement separately.

Actions #3

Updated by Michal Vymazal over 2 years ago

TLS/SSL
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

The Illustrated TLS Connection
https://tls.ulfheim.net/

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH for better description.

Actions #4

Updated by Andreas Herz over 2 years ago

  • Assignee set to Michal Vymazal
  • Target version set to TBD
Actions

Also available in: Atom PDF