Bug #6634: tls: Invalid ja3 due to double client hello - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Bug #6634

closed

tls: Invalid ja3 due to double client hello

Added by Eric Leblond over 1 year ago. Updated 10 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Affected Versions:

6.0.14, 7.0.1

Effort:

medium

Difficulty:

Label:

Description

Stamus Networks team has discovered some weird TLS connections happening in real networks. These connections are not respecting the TLS RFCs as the client sends 2 hello messages (one in TLS 1.2 and the other one in TLS v1.3) but the server does not care and answer any way.

The result is surprising as the ja_string ends up to compose of 9 commas separated elements and as a result the ja3 hash is not computed on one or the other of the hello message.

Subtasks 1 (0 open — 1 closed)

Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)

Closed

Philippe Antoine

Actions

Related issues 3 (1 open — 2 closed)

Related to Suricata - Bug #7016: tls: hello retry request handling issues	New	OISF Dev	Actions
Related to Suricata - Bug #7256: ja3: Error: ja3: Buffer should not be NULL	Closed	Philippe Antoine	Actions
Copied to Suricata - Bug #7685: tls: Invalid ja4 due to double client hello	Rejected	OISF Dev	Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Eric Leblond over 1 year ago

Affected Versions 7.0.1 added
Affected Versions deleted (~~7.0.0~~)

Actions

Copy link

Updated by Eric Leblond over 1 year ago

PR https://github.com/OISF/suricata/pull/10059

Actions

Copy link

Updated by Victor Julien over 1 year ago

Can you share a pcap / SV test for this?

Actions

Copy link

Updated by Gianni Tedesco over 1 year ago

Can confirm we are seeing exactly this problem on approx 0.005% of TLS sessions

Actions

Copy link

Updated by Gianni Tedesco over 1 year ago

I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"

Actions

Copy link

Updated by Gianni Tedesco over 1 year ago

And another discrepancy, which I am not sure about and investigating a bit more is that, sometimes the EVE JSON reports "TLS 1.3", but both ja3-strings are saying 771 (TLS 1.2). Not sure why this is.

Actions

Copy link

Updated by Victor Julien about 1 year ago

Related to Bug #7016: tls: hello retry request handling issues added

Actions

Copy link

Updated by Victor Julien about 1 year ago

Subject changed from Invalid ja3 due to double client hello to tls: Invalid ja3 due to double client hello

Actions

Copy link

Updated by Philippe Antoine 10 months ago

Gianni Tedesco wrote in #note-5:

I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"

I can see one path where it happens :
Do you have TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH in these cases @Giuseppe Longo ?

Actions

Copy link

#10