Project

General

Profile

Actions

Bug #5439

closed

Invalid certificate when Issuer is not present.

Added by Brandon Murphy over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs Suricata-Verify test

Description

When investigating the Sliver Framework, it was observed that certificates which lack an Issuer (or contain an issuer with a 0 length) are not parsed by suricata.

In attempting to write signatures for the framework, this lack of parsing resulted in rules which were written without the aid of typical TLS buffers and do not perform well.

Is it possible to somehow allow the tls.cert_subject buffer to still be populated and detected against?

Anomaly Log

[
  {
    "timestamp": "2022-07-05T19:04:40.880329+0000",
    "flow_id": 1013180826924639,
    "pcap_cnt": 7,
    "event_type": "anomaly",
    "src_ip": "192.168.116.130",
    "src_port": 54080,
    "dest_ip": "54.206.116.39",
    "dest_port": 443,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "community_id": "1:TQlCVrrpCtVqPOOUKXjZ0qVC5qU=",
    "tx_id": 0,
    "anomaly": {
      "app_proto": "tls",
      "type": "applayer",
      "event": "CERTIFICATE_INVALID_DER",
      "layer": "proto_parser" 
    }
  }
]

sid:1; does not fire on sliver_cert_2.pcap

alert tls any any -> any any (msg:"test"; flow:established,to_client; tls.cert_subject; content:"localhost"; sid:1;)

sid:2; which makes no use of TLS buffers does fire on sliver_cert_2.pcap

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M4"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; sid:4; rev:1; classtype:trojan-activity; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go;)


Files

sliver_cert_2.pcap (3.24 KB) sliver_cert_2.pcap Brandon Murphy, 07/07/2022 05:25 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5266: rust: update time dependencyRejectedActions
Actions

Also available in: Atom PDF