Project

General

Profile

Actions
Copy link

Bug #3218

open
TG OD

detect: wrong matches with ssl_state

Bug #3218: detect: wrong matches with ssl_state

Added by Travis Green over 6 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Affected Versions:
4.1.5, 5.0rc1, 8.0.0
Effort:
Difficulty:
Label:

Description

The ssl_state keyword does not alert on the correct state when specified in the rule.

Example 1: should work with client_hello, but only works with server_hello

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS incorrect state (server_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:server_hello; classtype:attempted-admin; sid:1003923; rev:1;)

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS desired state (client_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003924; rev:1;)

fast.log:
09/30/2019-19:55:33.413760 [**] [1:1003923:1] Test 1 SNI in SMTPS incorrect state (server_hello) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.4.5:55804 -> 69.167.159.100:587

Example 2: should work with client_hello, but only works with server_keyx

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS incorrect state (server_keyx)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:server_keyx; classtype:attempted-admin; sid:1003925; rev:1;)

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS correct state (client_hello)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003926; rev:1;)

fast.log:
09/27/2019-17:32:40.365473 [**] [1:1003925:1] Test 2 SNI in HTTPS incorrect state (server_keyx) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.100.10:49159 -> 172.217.4.68:443

Example 3: should only alert with server_hello state, instead alerts with client_keyx

alert tls any any -> any any (msg:"Test 3 HTTPS certificate incorrect state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:client_keyx; classtype:attempted-admin; sid:1003928; rev:1;)

alert tls any any -> any any (msg:"Test 3 HTTPS certificate desired state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:server_hello; classtype:attempted-admin; sid:1003929; rev:1;)

fast.log
09/27/2019-17:32:40.416945 [**] [1:1003928:1] Test 3 HTTPS certificate incorrect state [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.217.4.68:443 -> 192.168.100.10:49159

Tested with:
5.0.0-dev (9340769ad 2019-09-29)
4.1.5 RELEASE (with and without rust)

Files

Download all files
slice_smtps.pcap (8.25 KB) slice_smtps.pcap Travis Green, 10/04/2019 09:11 PM
slice_https.pcap (55.5 KB) slice_https.pcap Travis Green, 10/04/2019 09:11 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7274: ssl_state:unknown not implementedNewOISF DevActions

AH Updated by Andreas Herz over 6 years ago Actions
Copy link
 #1

  • Assignee set to OISF Dev
  • Target version set to TBD

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #2

Can you create some SV tests out of these pcaps/rules?

PA Updated by Philippe Antoine over 4 years ago Actions
Copy link
 #3

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

  • Target version changed from TBD to 7.0.0-beta1

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #5

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #6

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #7

  • Label Needs Suricata-Verify test added

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #8

  • Label deleted (Needs Suricata-Verify test)

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #9

  • Related to Bug #7274: ssl_state:unknown not implemented added

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #10

The issue is due to the time of app update vs time of inspection. In IPS mode, at least the first test case works. Packet 10 has the client hello and sni, and matches.

In IDS mode, inspection is delayed by the ACK. This results in the `ssl_state->current_flags` being reset by the processing of the server hello as inspection happens in the first packet in the toserver direction after the ACKing of the client hello. This means that packet 13 inspects the signature. As the TLS state has moved on to server hello, that sig matches instead of the correct one.

It's not immediately clear to me how to address this. One way could be to track these flags in the session per direction.

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #11

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

SB Updated by Shivani Bhardwaj about 1 year ago Actions
Copy link
 #12

  • Subject changed from ssl_state does the wrong thing to detect: wrong matches with ssl_state

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #13

  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #14

  • Affected Versions 8.0.0 added
Actions
Copy link

Also available in: PDF Atom