Project

General

Profile

Actions
Copy link

Feature #5234

open

SSL/TLS Sticky Buffer for subjectAltName

Added by Genina Po about 1 year ago. Updated 5 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

Hi Team,

Does Suricata support parsing subjectAltName data into a SSL/TLS sticky buffer? If not, it would be a nice feature to have if the subjectAltName is present in SSL/TLS certificate or in the X509 extension.

The attached .pcap may be used to test this feature request.

Please note there is an observed inconsistency with how the subjectAltName is being parsed amongst Suricata engine versions.

If Suricata 6+ is used on the attached .pcap, the subjectAltName is parsed:
Suri7

issuerdn       C=XX, CN=mamzon.ru, L=XX, O=XX, OU=XX, ST=XX, Email=webmaster@mamzon.ru, subjectAltName=*.mamzon.ru www.mamzon.ru
sample: d08f862fc5830ad381db2027c10823c5

If Suricata 5 and below are used, the subjectAltName is not parsed:
Suri5 

'issuerdn': 'C=XX, CN=mamzon.ru/L=XX/O=XX/OU=XX/ST=XX/emailAddress=webmaster@mamzon.ru/unknown=*.mamzon.ru www.mamzon.ru',

Files

d08f862fc5830ad381db2027c10823c5.pcap (1.53 MB) d08f862fc5830ad381db2027c10823c5.pcap Genina Po, 04/06/2022 11:22 PM
Actions
Copy link
 #1

Updated by Victor Julien 10 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Brandon Murphy 5 months ago

An example of where Subject Alt Name Parsing would be handy is a pattern observed within Glupteba's new TLS certs

Reference: https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/

https://crt.sh/?q=4c2bac6c0493203dabaed2b14b99f2f8f17a9cab804a5ac6efd0e6415dbc568b

Actions
Copy link

Also available in: Atom PDF