Bug #3218
openssl_state does the wrong thing
Description
The ssl_state keyword does not alert on the correct state when specified in the rule.
Example 1: should work with client_hello, but only works with server_hello
alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS incorrect state (server_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:server_hello; classtype:attempted-admin; sid:1003923; rev:1;)
alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS desired state (client_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003924; rev:1;)
fast.log:
09/30/2019-19:55:33.413760 [**] [1:1003923:1] Test 1 SNI in SMTPS incorrect state (server_hello) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.4.5:55804 -> 69.167.159.100:587
Example 2: should work with client_hello, but only works with server_keyx
alert tls any any -> any any (msg:"Test 2 SNI in HTTPS incorrect state (server_keyx)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:server_keyx; classtype:attempted-admin; sid:1003925; rev:1;)
alert tls any any -> any any (msg:"Test 2 SNI in HTTPS correct state (client_hello)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003926; rev:1;)
fast.log:
09/27/2019-17:32:40.365473 [**] [1:1003925:1] Test 2 SNI in HTTPS incorrect state (server_keyx) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.100.10:49159 -> 172.217.4.68:443
Example 3: should only alert with server_hello state, instead alerts with client_keyx
alert tls any any -> any any (msg:"Test 3 HTTPS certificate incorrect state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:client_keyx; classtype:attempted-admin; sid:1003928; rev:1;)
alert tls any any -> any any (msg:"Test 3 HTTPS certificate desired state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:server_hello; classtype:attempted-admin; sid:1003929; rev:1;)
fast.log
09/27/2019-17:32:40.416945 [**] [1:1003928:1] Test 3 HTTPS certificate incorrect state [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.217.4.68:443 -> 192.168.100.10:49159
Tested with:
5.0.0-dev (9340769ad 2019-09-29)
4.1.5 RELEASE (with and without rust)
Files
Updated by Andreas Herz over 3 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien over 3 years ago
Can you create some SV tests out of these pcaps/rules?
Updated by Philippe Antoine over 1 year ago
https://github.com/OISF/suricata-verify/pull/136 had been created by the way
Updated by Victor Julien 10 months ago
- Target version changed from TBD to 7.0.0-beta1
Updated by Victor Julien 7 months ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien 6 months ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1