Feature #3065: tls_cert_XX keywords date format parsing error - Suricata - Open Information Security Foundation

Actions

Feature #3065

closed

MJ PA

tls_cert_XX keywords date format parsing error

Feature #3065: tls_cert_XX keywords date format parsing error

Added by Min-Gyu Jeon almost 7 years ago. Updated about 2 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

Effort:

low

Difficulty:

low

Label:

Description

Summary¶

For tls_cert_XXX keywords, the "YYYY" date format is not supported.

Details¶

Issue
- The date format of the tls_cert_XXX keywords do not support the format "[<|>]YYYY"
- Thus Suricata can't detect such conditions.
- Related manual section
  - https://suricata.readthedocs.io/en/suricata-4.1.4/rules/tls-keywords.html#tls-cert-notafter

Cause
- detect-tls-cert-validity.c : DateStringToEpoch()
  In this function, the YYYY format do not exist in the pattern list.
  Furthermore, since integer values are converted ahead of pattern checking,
  patterns like YYYY are converted to time_t and do not throw error.
- ex) tls_cert_notafter:<2019
  => epoch = 2019 (if was intended, should be a time_t value of year 2019)

How to Fix
- Add the YYYY format to the pattern list
- remove/move the integer convertion section

AH Updated by Andreas Herz almost 7 years ago Actions
Copy link
#1

Target version changed from 5.0beta1 to TBD

Are you willing to submit a PR for that?

MJ Updated by Min-Gyu Jeon almost 7 years ago Actions
Copy link
#2

Sure, I will submit it within this week.

AH Updated by Andreas Herz almost 7 years ago Actions
Copy link
#3

Status changed from New to Assigned

That's great, thank you

MJ Updated by Min-Gyu Jeon almost 7 years ago Actions
Copy link
#4

Submitted a PR
https://github.com/OISF/suricata/pull/3987

MJ Updated by Min-Gyu Jeon almost 7 years ago Actions
Copy link
#5

Min-Gyu Jeon wrote:

Submitted a PR
https://github.com/OISF/suricata/pull/3987

on rework due to unittest error

MJ Updated by Min-Gyu Jeon almost 7 years ago Actions
Copy link
#6

https://github.com/OISF/suricata/pull/3993 (v2)

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#7

Assignee changed from Min-Gyu Jeon to Philippe Antoine
Target version changed from TBD to 9.0.0-beta1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#8

Tracker changed from Bug to Feature
Affected Versions deleted (~~4.1.4~~)

PA Updated by Philippe Antoine 3 months ago Actions
Copy link
#9

Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/14638

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#10

Status changed from In Review to Closed

https://github.com/OISF/suricata/pull/14727

Actions

Also available in: PDF Atom