Project

General

Profile

Actions
Copy link

Bug #5713

open

eve/tls: version not logged for client hello only session

Added by Peter Manev about 3 years ago. Updated 13 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:

Description

The attached is a single stream pcap from a malicious C2 beacon occurring multiple times over time.
It has 3whs and tear down but only one client hello packet , ack-ed by the server though.

The TLS version is TLSv1 according to Wireshark. Suricata protocol logs for TLS version displays "undetermined".

In this case it would be helpful if the protocol version is included in the log from security analysts/hunting perspective. It could maybe even be anomaly event ? 

{
  "timestamp": "2022-11-24T11:16:23.277657+0100",
  "flow_id": 2240760637570876,
  "pcap_cnt": 9,
  "event_type": "tls",
  "src_ip": "192.168.46.2",
  "src_port": 49905,
  "dest_ip": "91.254.215.167",
  "dest_port": 443,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "metadata": {
    "flowbits": [
      "ET.Evil",
      "ET.BotccIP" 
    ]
  },
  "tls": {
    "version": "UNDETERMINED",
    "ja3": {
      "hash": "49ed2ef3f1321e5f044f1e71b0e6fdd5",
      "string": "769,49162-49161-49172-49171-53-47-10,5-10-11-35-23-65281,29-23-24,0" 
    }
  }
}

Tested on 7.0.0-beta1

Files

TLSv1-Extracted-MaliciousC2.pcap (800 Bytes) TLSv1-Extracted-MaliciousC2.pcap Peter Manev, 11/25/2022 03:54 PM

Subtasks 1 (1 open0 closed)

Bug #8180: eve/tls: version not logged for client hello only session (8.0.x backport)AssignedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF