Bug #5183
closedTLS Handshake Fragments not Reassembled
Description
TLS handshakes can be sent in multiple TLS frames. This is because the handshakes can be larger than the max size of a single frame (24 bits length field, vs 16 bits length field).
Suricata appears not to combine such fragments which means that TLS app-layer rules can be evaded and TLS events can be hidden if suricata is configured to log TLS events.
Attached are two semantically equivalent pcaps which show the same client hello message in wireshark but which produce INVALID_SSL_RECORD and INVALID_HANDSHAKE_MESSAGE anomaly events in Suricata.
Files
Updated by Victor Julien almost 3 years ago
@Gianni Tedesco are you able to update the frag pcap to not have the server response be out of window?
Updated by Gianni Tedesco almost 3 years ago
Yes, there must be a bug in the tool, will look into that.
Updated by Victor Julien almost 3 years ago
- Status changed from In Progress to In Review
Updated by Iñaki McKearney over 2 years ago
- File tlsfrag.pcap tlsfrag.pcap added
- File tls.pcap tls.pcap added
@Victor Julien @Gianni Tedesco Please find attached the updated pcaps.
Updated by Iñaki McKearney over 2 years ago
Please excuse the incorrect/swapped file comments on the fixed pcaps
Updated by Victor Julien over 2 years ago
- Status changed from In Review to Closed
Updated by Orion Poplawski over 2 years ago
Is there any chance that this fix will get back ported to 6.0?