Project

General

Profile

Actions

Bug #5713

open

TLSv1 not logged into tls events.

Added by Peter Manev 2 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The attached is a single stream pcap from a malicious C2 beacon occurring multiple times over time.
It has 3whs and tear down but only one client hello packet , ack-ed by the server though.

The TLS version is TLSv1 according to Wireshark. Suricata protocol logs for TLS version displays "undetermined".

In this case it would be helpful if the protocol version is included in the log from security analysts/hunting perspective. It could maybe even be anomaly event ?

{
  "timestamp": "2022-11-24T11:16:23.277657+0100",
  "flow_id": 2240760637570876,
  "pcap_cnt": 9,
  "event_type": "tls",
  "src_ip": "192.168.46.2",
  "src_port": 49905,
  "dest_ip": "91.254.215.167",
  "dest_port": 443,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "metadata": {
    "flowbits": [
      "ET.Evil",
      "ET.BotccIP" 
    ]
  },
  "tls": {
    "version": "UNDETERMINED",
    "ja3": {
      "hash": "49ed2ef3f1321e5f044f1e71b0e6fdd5",
      "string": "769,49162-49161-49172-49171-53-47-10,5-10-11-35-23-65281,29-23-24,0" 
    }
  }
}

Tested on 7.0.0-beta1


Files

TLSv1-Extracted-MaliciousC2.pcap (800 Bytes) TLSv1-Extracted-MaliciousC2.pcap Peter Manev, 11/25/2022 03:54 PM
Actions

Also available in: Atom PDF