Project

General

Profile

Actions

Bug #5439

open

Invalid certificate when Issuer is not present.

Added by Brandon Murphy 3 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When investigating the Sliver Framework, it was observed that certificates which lack an Issuer (or contain an issuer with a 0 length) are not parsed by suricata.

In attempting to write signatures for the framework, this lack of parsing resulted in rules which were written without the aid of typical TLS buffers and do not perform well.

Is it possible to somehow allow the tls.cert_subject buffer to still be populated and detected against?

Anomaly Log

[
  {
    "timestamp": "2022-07-05T19:04:40.880329+0000",
    "flow_id": 1013180826924639,
    "pcap_cnt": 7,
    "event_type": "anomaly",
    "src_ip": "192.168.116.130",
    "src_port": 54080,
    "dest_ip": "54.206.116.39",
    "dest_port": 443,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "community_id": "1:TQlCVrrpCtVqPOOUKXjZ0qVC5qU=",
    "tx_id": 0,
    "anomaly": {
      "app_proto": "tls",
      "type": "applayer",
      "event": "CERTIFICATE_INVALID_DER",
      "layer": "proto_parser" 
    }
  }
]

sid:1; does not fire on sliver_cert_2.pcap

alert tls any any -> any any (msg:"test"; flow:established,to_client; tls.cert_subject; content:"localhost"; sid:1;)

sid:2; which makes no use of TLS buffers does fire on sliver_cert_2.pcap

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M4"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; sid:4; rev:1; classtype:trojan-activity; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go;)


Files

sliver_cert_2.pcap (3.24 KB) sliver_cert_2.pcap Brandon Murphy, 07/07/2022 05:25 PM
Actions #1

Updated by Victor Julien about 2 months ago

Looks like this is an issue in tls-parser https://github.com/rusticata/tls-parser/issues/37

Actions

Also available in: Atom PDF