Project

General

Profile

Actions

Feature #2957

open

Suricata x Moloch - protocol detection. Proposals for TLS/SSL

Added by Michal Vymazal over 5 years ago. Updated almost 5 years ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

TLS/SSL
At this moment moloch shows only TLS version, negotiated cipher and some certificate data.
(Screenshot_20190301_122822.png)

Previous task version
https://redmine.openinfosecfoundation.org/issues/2939

The Illustrated TLS Connection
https://tls.ulfheim.net/

For Suricata TLS plugin I suggest to include this values in the moloch screen

Client Hello - Cipher Suites proposals, Compression Methods, Extension - Supported Groups, Extension - EC Point Formats, Extension - Signature Algorithms, Extension - Renegotiation Info, Diffie-Hellman server parameters proposals

Server Hello - Cipher Suite, Compression Method, Diffie-Hellman server parameters (signal-Screenshot_20190327_212101.png)

Server Key Exchange - Curve Info, Public Key, Signature

I will try to find similar illustrated guide for IKEvX and SSH and describe similar proposals for IKEv1, IKEv2, IKEv3 and SSH.


Files

Screenshot_20190301_122822.png (112 KB) Screenshot_20190301_122822.png Michal Vymazal, 05/03/2019 08:08 AM
tls-inspection-rules.txt (2.3 KB) tls-inspection-rules.txt Michal Vymazal, 05/03/2019 08:11 AM
Screenshot_20191123_095533-2.png (151 KB) Screenshot_20191123_095533-2.png Moloch screen, the selected part will be enhanced with TLS handshake proposals and exchange parameters Michal Vymazal, 11/23/2019 09:10 AM
Screenshot_20191123_095432.png (161 KB) Screenshot_20191123_095432.png List of TLS parameters Michal Vymazal, 11/23/2019 09:12 AM
Actions

Also available in: Atom PDF