Feature #2957
openSuricata x Moloch - protocol detection. Proposals for TLS/SSL
Description
TLS/SSL
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)
Previous task version
https://redmine.openinfosecfoundation.org/issues/2939
The Illustrated TLS Connection
https://tls.ulfheim.net/
For Suricata TLS plugin I suggest to include this values in the moloch screen
Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals
Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)
Server Key Exchange - Curve Info, Public Key, Signature
I will try to find similar illustrated guide for IKEvX and SSH and describe similar proposals for IKEv1, IKEv2, IKEv3 and SSH.
Files
Updated by Michal Vymazal over 5 years ago
- File tls-inspection-rules.txt tls-inspection-rules.txt added
I also uploaded my signatures for TLS inspection.
Phrase
alert tls any !10050:10051
means no Zabbix connections.
Updated by Andreas Herz over 5 years ago
- Assignee set to Community Ticket
- Target version set to TBD
Are you interested to work on that as a contribution?
Updated by Andreas Herz over 5 years ago
- Assignee changed from Community Ticket to Michal Vymazal
The necessary steps are explained in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing and https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide feel free to ask if you have any specific questions. You can also look at our github page https://github.com/OISF/suricata and see how we work with PRs.
Updated by Michal Vymazal over 5 years ago
OK. Give me a week to study the rules, developers guide and the Contribution Agreement.
Updated by Michal Vymazal over 5 years ago
Suricata code location - Moloch, Suricata plugins
I will be glad to cooperate on this projects
https://redmine.openinfosecfoundation.org/issues/2962
https://redmine.openinfosecfoundation.org/issues/2957
But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)
https://github.com/OISF/suricata
Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?
Thank you very much
Updated by Peter Manev over 5 years ago
May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.
Updated by Michal Vymazal about 5 years ago
- File Screenshot_20191123_095533-2.png Screenshot_20191123_095533-2.png added
- File Screenshot_20191123_095432.png Screenshot_20191123_095432.png added
The code should be located in Moloch-Suricata plugins
https://github.com/aol/moloch/tree/master/capture/plugins