Project

General

Profile

Actions
Copy link

Bug #4917

open

tls: leading GAP in toserver direction leads to various issues

Added by Victor Julien over 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Attached is a pcap from https://github.com/OISF/suricata-verify/tree/master/tests/tls-ja3s, but with the first data segment to the server (the client hello) removed.

This leads to various issues:
  • flow logging app_proto as "failed", even if app_proto_tc is "tls".
  • no TLS logging or inspection
  • no GAP detected
  • app-layer event applayer_wrong_direction_first_data triggering

The parser does not support GAPs or first data into the toclient direction. Since the leading GAP isn't detected (in time), the first data sent to the parser is in the toclient direction. This is then rejected and leads to the event and failure state for the flow.

Files

tls-ja3s-sv-test-1st-segment-missing.pcap (9.59 KB) tls-ja3s-sv-test-1st-segment-missing.pcap Victor Julien, 12/19/2021 09:05 AM

Related issues 2 (2 open0 closed)

Related to Suricata - Task #3560: ssl/tls: support GAP recoveryNewActions
Related to Suricata - Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocolsNewActions
Actions
Copy link
 #1

Updated by Victor Julien over 2 years ago

  • Related to Task #3560: ssl/tls: support GAP recovery added
Actions
Copy link
 #2

Updated by Victor Julien over 2 years ago

  • Related to Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocols added
Actions
Copy link
 #3

Updated by Philippe Antoine 10 months ago

  • Target version set to 8.0.0-beta1
Actions
Copy link
 #4

Updated by Philippe Antoine 10 months ago

  • Assignee set to OISF Dev
Actions
Copy link

Also available in: Atom PDF