Actions
Bug #5713
closedeve/tls: version not logged for client hello only session
Affected Versions:
Effort:
Difficulty:
Label:
Description
The attached is a single stream pcap from a malicious C2 beacon occurring multiple times over time.
It has 3whs and tear down but only one client hello packet , ack-ed by the server though.
The TLS version is TLSv1 according to Wireshark. Suricata protocol logs for TLS version displays "undetermined".
In this case it would be helpful if the protocol version is included in the log from security analysts/hunting perspective. It could maybe even be anomaly event ?
{
"timestamp": "2022-11-24T11:16:23.277657+0100",
"flow_id": 2240760637570876,
"pcap_cnt": 9,
"event_type": "tls",
"src_ip": "192.168.46.2",
"src_port": 49905,
"dest_ip": "91.254.215.167",
"dest_port": 443,
"proto": "TCP",
"pkt_src": "wire/pcap",
"metadata": {
"flowbits": [
"ET.Evil",
"ET.BotccIP"
]
},
"tls": {
"version": "UNDETERMINED",
"ja3": {
"hash": "49ed2ef3f1321e5f044f1e71b0e6fdd5",
"string": "769,49162-49161-49172-49171-53-47-10,5-10-11-35-23-65281,29-23-24,0"
}
}
}
Tested on 7.0.0-beta1
Files
Updated by Peter Manev about 3 years ago
Thank you to the user "woundride" at https://discord.com/channels/911231224448712714/911238451842666546/1044761526109737012
https://www.youtube.com/watch?v=WfbD-L2kXbk
for providing the pcap !
Updated by Victor Julien 16 days ago
- Subject changed from TLSv1 not logged into tls events. to eve/tls: version not logged for client hello only session
- Status changed from New to In Review
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
Updated by Victor Julien 1 day ago
- Status changed from In Review to Resolved
Updated by Victor Julien about 10 hours ago
- Status changed from Resolved to Closed
Actions