Project

General

Profile

Actions

Bug #3218

open

ssl_state does the wrong thing

Added by Travis Green about 5 years ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The ssl_state keyword does not alert on the correct state when specified in the rule.

Example 1: should work with client_hello, but only works with server_hello

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS incorrect state (server_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:server_hello; classtype:attempted-admin; sid:1003923; rev:1;)

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS desired state (client_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003924; rev:1;)

fast.log:
09/30/2019-19:55:33.413760 [**] [1:1003923:1] Test 1 SNI in SMTPS incorrect state (server_hello) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.4.5:55804 -> 69.167.159.100:587

Example 2: should work with client_hello, but only works with server_keyx

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS incorrect state (server_keyx)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:server_keyx; classtype:attempted-admin; sid:1003925; rev:1;)

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS correct state (client_hello)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003926; rev:1;)

fast.log:
09/27/2019-17:32:40.365473 [**] [1:1003925:1] Test 2 SNI in HTTPS incorrect state (server_keyx) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.100.10:49159 -> 172.217.4.68:443

Example 3: should only alert with server_hello state, instead alerts with client_keyx

alert tls any any -> any any (msg:"Test 3 HTTPS certificate incorrect state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:client_keyx; classtype:attempted-admin; sid:1003928; rev:1;)

alert tls any any -> any any (msg:"Test 3 HTTPS certificate desired state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:server_hello; classtype:attempted-admin; sid:1003929; rev:1;)

fast.log
09/27/2019-17:32:40.416945 [**] [1:1003928:1] Test 3 HTTPS certificate incorrect state [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.217.4.68:443 -> 192.168.100.10:49159

Tested with:
5.0.0-dev (9340769ad 2019-09-29)
4.1.5 RELEASE (with and without rust)


Files

slice_smtps.pcap (8.25 KB) slice_smtps.pcap Travis Green, 10/04/2019 09:11 PM
slice_https.pcap (55.5 KB) slice_https.pcap Travis Green, 10/04/2019 09:11 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7274: ssl_state:unknown not implementedNewOISF DevActions
Actions #1

Updated by Andreas Herz about 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien about 5 years ago

Can you create some SV tests out of these pcaps/rules?

Actions #4

Updated by Victor Julien over 2 years ago

  • Target version changed from TBD to 7.0.0-beta1
Actions #5

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #6

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions #7

Updated by Victor Julien over 1 year ago

  • Label Needs Suricata-Verify test added
Actions #8

Updated by Philippe Antoine over 1 year ago

  • Label deleted (Needs Suricata-Verify test)
Actions #9

Updated by Victor Julien 3 months ago

  • Related to Bug #7274: ssl_state:unknown not implemented added
Actions #10

Updated by Victor Julien 3 months ago

The issue is due to the time of app update vs time of inspection. In IPS mode, at least the first test case works. Packet 10 has the client hello and sni, and matches.

In IDS mode, inspection is delayed by the ACK. This results in the `ssl_state->current_flags` being reset by the processing of the server hello as inspection happens in the first packet in the toserver direction after the ACKing of the client hello. This means that packet 13 inspects the signature. As the TLS state has moved on to server hello, that sig matches instead of the correct one.

It's not immediately clear to me how to address this. One way could be to track these flags in the session per direction.

Actions

Also available in: Atom PDF