Project

General

Profile

Feature #2957

Suricata x Moloch - protocol detection. Proposals for TLS/SSL

Added by Michal Vymazal 5 months ago. Updated 4 months ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

TLS/SSL
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

Previous task version
https://redmine.openinfosecfoundation.org/issues/2939

The Illustrated TLS Connection
https://tls.ulfheim.net/

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH and describe similar proposals for IKEv1, IKEv2, IKEv3 and SSH.


Files

Screenshot_20190301_122822.png (112 KB) Screenshot_20190301_122822.png Michal Vymazal, 05/03/2019 08:08 AM
tls-inspection-rules.txt (2.3 KB) tls-inspection-rules.txt Michal Vymazal, 05/03/2019 08:11 AM

History

#1

Updated by Michal Vymazal 5 months ago

I also uploaded my signatures for TLS inspection.

Phrase
alert tls any !10050:10051

means no Zabbix connections.

#2

Updated by Andreas Herz 4 months ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Are you interested to work on that as a contribution?

#3

Updated by Michal Vymazal 4 months ago

Really glad. What can I do?

#4

Updated by Andreas Herz 4 months ago

  • Assignee changed from Community Ticket to Michal Vymazal

The necessary steps are explained in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing and https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide feel free to ask if you have any specific questions. You can also look at our github page https://github.com/OISF/suricata and see how we work with PRs.

#5

Updated by Andreas Herz 4 months ago

  • Status changed from New to Assigned
#6

Updated by Michal Vymazal 4 months ago

OK. Give me a week to study the rules, developers guide and the Contribution Agreement.

#7

Updated by Michal Vymazal 4 months ago

Suricata code location - Moloch, Suricata plugins

I will be glad to cooperate on this projects

https://redmine.openinfosecfoundation.org/issues/2962
https://redmine.openinfosecfoundation.org/issues/2957

But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)
https://github.com/OISF/suricata

Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?

Thank you very much

#8

Updated by Peter Manev 4 months ago

May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.

Also available in: Atom PDF