Feature #2962
openeve: log more IKEv2 fields
Description
At this moment Suricata detects IKEv2 traffic, but the traffic analysis is little bit complicated.
here is a small illustrated guide for IKEv2
http://www.omnisecu.com/tcpip/ikev2-phase-1-and-phase-2-message-exchanges.php
I added my experimental IKEv2 suricata rules to this task too.
But, Moloch shows (IKEv2_Moloch_Screenshot_20190504_175220.png), in the Suricata section, only the Signatures which detect this traffic.
My proposal is to enhance the Suricata/Moloch plugins to show these parameters of the IKEv2 handshake (IKEv2-EventsList_Screenshot_20190504_175956.png)
ikev2.alg_auth
ikev2.alg_dh
ikev2.alg_enc
ikev2.alg_esn
ikev2.alg_prf
ikev2.errors
ikev2.exchange_type (at this time only numerical string, maybe standard descriprion will be better, like the other parameters)
ikev2.init_spi
ikev2.message_id
ikev2.notify
ikev2.payload
ikev2.resp_spi
ikev2.role
ikev2.version_major
ikev2.version_minor
Files
Updated by Andreas Herz over 5 years ago
- Assignee set to Community Ticket
- Target version set to TBD
Are you interested to work on those as a contribution?
Updated by Michal Vymazal over 5 years ago
I will be very pleased. How can I help?
Updated by Andreas Herz over 5 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Michal Vymazal
The necessary steps are explained in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing and https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide feel free to ask if you have any specific questions. You can also look at our github page https://github.com/OISF/suricata and see how we work with PRs.
Updated by Michal Vymazal over 5 years ago
OK. Give me a week to study the rules, developers guide and the Contribution Agreement.
Updated by Michal Vymazal over 5 years ago
Suricata code location - Moloch, Suricata plugins
I will be glad to cooperate on this projects
https://redmine.openinfosecfoundation.org/issues/2962
https://redmine.openinfosecfoundation.org/issues/2957
But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)
https://github.com/OISF/suricata
Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?
Thank you very much
Updated by Peter Manev over 5 years ago
May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.
Updated by Victor Julien about 5 years ago
- Subject changed from Suricata x Moloch - protocol detection. Proposals for IKEv2 to eve: log more IKEv2 fields
Updated by Michal Vymazal about 5 years ago
- File IKEv2_Moloch_Screenshot_20190504_175220-2.png IKEv2_Moloch_Screenshot_20190504_175220-2.png added
- File Screenshot_20191123_094316.png Screenshot_20191123_094316.png added
- File IKEv2-EventsList_Screenshot_20190504_175956.png IKEv2-EventsList_Screenshot_20190504_175956.png added
The code should be located in Moloch-Suricata plugins
https://github.com/aol/moloch/tree/master/capture/plugins