Project

General

Profile

Actions
Copy link

Bug #3218

open

ssl_state does the wrong thing

Added by Travis Green over 3 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Affected Versions:
4.1.5, 5.0rc1
Effort:
Difficulty:
Label:

Description

The ssl_state keyword does not alert on the correct state when specified in the rule.

Example 1: should work with client_hello, but only works with server_hello

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS incorrect state (server_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:server_hello; classtype:attempted-admin; sid:1003923; rev:1;)

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS desired state (client_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003924; rev:1;)

fast.log:
09/30/2019-19:55:33.413760 [**] [1:1003923:1] Test 1 SNI in SMTPS incorrect state (server_hello) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.4.5:55804 -> 69.167.159.100:587

Example 2: should work with client_hello, but only works with server_keyx

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS incorrect state (server_keyx)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:server_keyx; classtype:attempted-admin; sid:1003925; rev:1;)

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS correct state (client_hello)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003926; rev:1;)

fast.log:
09/27/2019-17:32:40.365473 [**] [1:1003925:1] Test 2 SNI in HTTPS incorrect state (server_keyx) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.100.10:49159 -> 172.217.4.68:443

Example 3: should only alert with server_hello state, instead alerts with client_keyx

alert tls any any -> any any (msg:"Test 3 HTTPS certificate incorrect state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:client_keyx; classtype:attempted-admin; sid:1003928; rev:1;)

alert tls any any -> any any (msg:"Test 3 HTTPS certificate desired state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:server_hello; classtype:attempted-admin; sid:1003929; rev:1;)

fast.log
09/27/2019-17:32:40.416945 [**] [1:1003928:1] Test 3 HTTPS certificate incorrect state [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.217.4.68:443 -> 192.168.100.10:49159

Tested with:
5.0.0-dev (9340769ad 2019-09-29)
4.1.5 RELEASE (with and without rust)

Files

Download all files
slice_smtps.pcap (8.25 KB) slice_smtps.pcap Travis Green, 10/04/2019 09:11 PM
slice_https.pcap (55.5 KB) slice_https.pcap Travis Green, 10/04/2019 09:11 PM
Actions
Copy link
 #1

Updated by Andreas Herz over 3 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Victor Julien over 3 years ago

Can you create some SV tests out of these pcaps/rules?

Actions
Copy link
 #4

Updated by Victor Julien 10 months ago

  • Target version changed from TBD to 7.0.0-beta1
Actions
Copy link
 #5

Updated by Victor Julien 7 months ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions
Copy link
 #6

Updated by Victor Julien 6 months ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions
Copy link

Also available in: Atom PDF