Project

General

Profile

Actions

Bug #5624

closed

quic: rule with ja3.hash keyword fails to load

Added by Victor Julien about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

28/10/2022 -- 19:18:29 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can't set rule app proto to tls: already set to quic
28/10/2022 -- 19:18:29 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert quic any any -> any any (msg:"LOCAL QUIC new JA3"; ja3.hash; dataset:set,quic-ja3-seen, type string, state quic-ja3-seen.csv; sid:8000008;)" from file /etc/suricata/local.rules at line 10

Philippe, this is supposed to work, right?

Actions #1

Updated by Philippe Antoine about 2 years ago

  • Status changed from Assigned to In Review
Actions #2

Updated by Philippe Antoine about 2 years ago

Well, it does not work.

Should we redirect somehow redirect this to ja3.string; transform: to_md5 ?

Actions #3

Updated by Victor Julien about 2 years ago

Philippe Antoine wrote in #note-2:

Well, it does not work.

Should we redirect somehow redirect this to ja3.string; transform: to_md5 ?

No? I don't see how that is related at all.

Actions #4

Updated by Philippe Antoine about 2 years ago

I don't see how that is related at all.

ja3.hash is the md5 of ja3.string

Is that clearer ?

Actions #5

Updated by Victor Julien about 2 years ago

I think we're talking about different issues. My point is that the rule shouldn't fail to load. Here's a simpler set w/o datasets:

alert quic any any -> any any (ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:1;)
alert quic any any -> any any (ja3s.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:2;)
alert ip any any -> any any (ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:3;)
alert ip any any -> any any (ja3s.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:4;)

Results in
$ ./src/suricata -c suricata.yaml -l tmp/ -T -S quic-ja3.rules 
29/10/2022 -- 16:05:06 - <Info> - Running suricata under test mode
29/10/2022 -- 16:05:06 - <Notice> - This is Suricata version 7.0.0-beta1 RELEASE running in SYSTEM mode
29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can't set rule app proto to tls: already set to quic
29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert quic any any -> any any (ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:1;)" from file quic-ja3.rules at line 1
29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can't set rule app proto to tls: already set to quic
29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert quic any any -> any any (ja3s.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:2;)" from file quic-ja3.rules at line 2
29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

Sid 3 and 4 also only apply to TLS, not quic:
{
  "raw": "alert ip any any -> any any (ja3.hash; content:\"deadbeefdeadbeefdeadbeefdeadbeef\"; sid:3;)",
  "id": 3,
  "gid": 1,
  "rev": 0,
  "app_proto": "tls",
  "requirements": [
    "flow" 
  ],
  "flags": [
    "src_any",
    "dst_any",
    "sp_any",
    "dp_any",
    "applayer",
    "toserver",
    "prefilter" 
  ],
  "pkt_engines": [],
  "frame_engines": [],
  "engines": [
    {
      "name": "ja3.hash",
      "direction": "toserver",
      "is_mpm": true,
      "app_proto": "tls",
      "progress": 0,
      "matches": [
        {
          "name": "content",
          "content": {
            "pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
            "length": 32,
            "nocase": false,
            "negated": false,
            "starts_with": false,
            "ends_with": false,
            "is_mpm": true,
            "no_double_inspect": true,
            "fast_pattern": false
          }
        }
      ]
    }
  ],
  "lists": {},
  "mpm": {
    "buffer": "ja3.hash",
    "pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
    "length": 32,
    "nocase": false,
    "negated": false,
    "starts_with": false,
    "ends_with": false,
    "is_mpm": true,
    "no_double_inspect": true,
    "fast_pattern": false
  }
}
{
  "raw": "alert ip any any -> any any (ja3s.hash; content:\"deadbeefdeadbeefdeadbeefdeadbeef\"; sid:4;)",
  "id": 4,
  "gid": 1,
  "rev": 0,
  "app_proto": "tls",
  "requirements": [
    "flow" 
  ],
  "flags": [
    "src_any",
    "dst_any",
    "sp_any",
    "dp_any",
    "applayer",
    "toclient",
    "prefilter" 
  ],
  "pkt_engines": [],
  "frame_engines": [],
  "engines": [
    {
      "name": "ja3s.hash",
      "direction": "toclient",
      "is_mpm": true,
      "app_proto": "tls",
      "progress": 0,
      "matches": [
        {
          "name": "content",
          "content": {
            "pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
            "length": 32,
            "nocase": false,
            "negated": false,
            "starts_with": false,
            "ends_with": false,
            "is_mpm": true,
            "no_double_inspect": true,
            "fast_pattern": false
          }
        }
      ]
    }
  ],
  "lists": {},
  "mpm": {
    "buffer": "ja3s.hash",
    "pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
    "length": 32,
    "nocase": false,
    "negated": false,
    "starts_with": false,
    "ends_with": false,
    "is_mpm": true,
    "no_double_inspect": true,
    "fast_pattern": false
  }
}

I assumed that ja3(s) keywords would work with quic. Am I wrong?

Actions #6

Updated by Philippe Antoine about 2 years ago

I think we're talking about different issues. My point is that the rule shouldn't fail to load.

Indeed I agree. That is what I am talking about as well.

I am wondering if the fix could be to make ja3.hash some "alias" of md5(ja3.string)
That would remove redundant code, likely to get an error next time.
And I guess you know better than me if it is possible, and if it is a good idea (perf ?)

Is it clearer ?

Actions #8

Updated by Philippe Antoine about 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF