Feature #2957


Suricata x Moloch - protocol detection. Proposals for TLS/SSL

Added by Michal Vymazal over 3 years ago. Updated over 2 years ago.

Target version:


At this moment moloch shows only TLS version, negotiated cipher and some certificate data.

Previous task version

The Illustrated TLS Connection

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH and describe similar proposals for IKEv1, IKEv2, IKEv3 and SSH.


Screenshot_20190301_122822.png (112 KB) Screenshot_20190301_122822.png Michal Vymazal, 05/03/2019 08:08 AM
tls-inspection-rules.txt (2.3 KB) tls-inspection-rules.txt Michal Vymazal, 05/03/2019 08:11 AM
Screenshot_20191123_095533-2.png (151 KB) Screenshot_20191123_095533-2.png Moloch screen, the selected part will be enhanced with TLS handshake proposals and exchange parameters Michal Vymazal, 11/23/2019 09:10 AM
Screenshot_20191123_095432.png (161 KB) Screenshot_20191123_095432.png List of TLS parameters Michal Vymazal, 11/23/2019 09:12 AM
Actions #1

Updated by Michal Vymazal over 3 years ago

I also uploaded my signatures for TLS inspection.

alert tls any !10050:10051

means no Zabbix connections.

Actions #2

Updated by Andreas Herz about 3 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Are you interested to work on that as a contribution?

Actions #3

Updated by Michal Vymazal about 3 years ago

Really glad. What can I do?

Actions #4

Updated by Andreas Herz about 3 years ago

  • Assignee changed from Community Ticket to Michal Vymazal

The necessary steps are explained in and feel free to ask if you have any specific questions. You can also look at our github page and see how we work with PRs.

Actions #5

Updated by Andreas Herz about 3 years ago

  • Status changed from New to Assigned
Actions #6

Updated by Michal Vymazal about 3 years ago

OK. Give me a week to study the rules, developers guide and the Contribution Agreement.

Actions #7

Updated by Michal Vymazal about 3 years ago

Suricata code location - Moloch, Suricata plugins

I will be glad to cooperate on this projects

But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)

Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?

Thank you very much

Actions #8

Updated by Peter Manev about 3 years ago

May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.


Also available in: Atom PDF