Project

General

Profile

Actions

Feature #2957

open

Suricata x Moloch - protocol detection. Proposals for TLS/SSL

Added by Michal Vymazal over 5 years ago. Updated about 5 years ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

TLS/SSL
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

Previous task version
https://redmine.openinfosecfoundation.org/issues/2939

The Illustrated TLS Connection
https://tls.ulfheim.net/

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH and describe similar proposals for IKEv1, IKEv2, IKEv3 and SSH.


Files

Screenshot_20190301_122822.png (112 KB) Screenshot_20190301_122822.png Michal Vymazal, 05/03/2019 08:08 AM
tls-inspection-rules.txt (2.3 KB) tls-inspection-rules.txt Michal Vymazal, 05/03/2019 08:11 AM
Screenshot_20191123_095533-2.png (151 KB) Screenshot_20191123_095533-2.png Moloch screen, the selected part will be enhanced with TLS handshake proposals and exchange parameters Michal Vymazal, 11/23/2019 09:10 AM
Screenshot_20191123_095432.png (161 KB) Screenshot_20191123_095432.png List of TLS parameters Michal Vymazal, 11/23/2019 09:12 AM
Actions #1

Updated by Michal Vymazal over 5 years ago

I also uploaded my signatures for TLS inspection.

Phrase
alert tls any !10050:10051

means no Zabbix connections.

Actions #2

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Are you interested to work on that as a contribution?

Actions #3

Updated by Michal Vymazal over 5 years ago

Really glad. What can I do?

Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee changed from Community Ticket to Michal Vymazal

The necessary steps are explained in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing and https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide feel free to ask if you have any specific questions. You can also look at our github page https://github.com/OISF/suricata and see how we work with PRs.

Actions #5

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Assigned
Actions #6

Updated by Michal Vymazal over 5 years ago

OK. Give me a week to study the rules, developers guide and the Contribution Agreement.

Actions #7

Updated by Michal Vymazal over 5 years ago

Suricata code location - Moloch, Suricata plugins

I will be glad to cooperate on this projects

https://redmine.openinfosecfoundation.org/issues/2962
https://redmine.openinfosecfoundation.org/issues/2957

But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)
https://github.com/OISF/suricata

Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?

Thank you very much

Actions #8

Updated by Peter Manev over 5 years ago

May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.

Actions

Also available in: Atom PDF