Project

General

Profile

Actions

Bug #6989

closed

tls.random buffers don't work as expected

Added by Isaac Shaughnessy 8 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

While updating some old tls signatures I noticed some strange behavior while using tls.random_time where it looks like the flow isn't being interpreted correctly. In the attached pcap there is a Client/Server Hello that exibits this behavior.

The random time in the CLIENT HELLO is 54 b4 c9 7b and is observered going from 10.10.1.1 -> 200.87.8.4. The following rules match on the CLIENT HELLO data with the only difference being to_client/to_server, based on the network traffic we would expect that CLIENT HELLO DATA - to_server (sid:1) would alert; instead CLIENT HELLO DATA - to_client (sid:2) triggers.

alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;)
alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;)

Eve.json:

    "event_type": "alert",
    "src_ip": "200.87.8.4",
    "src_port": 443,
    "dest_ip": "10.10.1.1",
    "dest_port": 1117,
    "signature": "CLIENT HELLO DATA - to_client",

Conversely the random time in the SERVER HELLO is 54 b8 f7 73 and traffic flows 200.87.8.4 -> 10.10.1.1. My signature SERVER HELLO DATA - to_client (sid:4) does not alert; SERVER HELLO DATA - to_server (sid:3) alerts instead.

alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;)
alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;)

Eve.json

    "event_type": "alert",
    "src_ip": "10.10.1.1",
    "src_port": 1117,
    "dest_ip": "200.87.8.4",
    "dest_port": 443,
    "signature": "SERVER HELLO DATA - to_server",

Thanks,
Isaac


Files

Dalton-Submission.zip (73.6 KB) Dalton-Submission.zip eve.json / suri.yaml / rules Isaac Shaughnessy, 04/26/2024 02:00 AM
2021379_1_session_random.pcap (1.91 KB) 2021379_1_session_random.pcap pcap Isaac Shaughnessy, 04/26/2024 02:00 AM

Subtasks 1 (0 open1 closed)

Bug #6990: tls.random buffers don't work as expected (7.0.x backport)ClosedShivani BhardwajActions
Actions #1

Updated by Isaac Shaughnessy 8 months ago ยท Edited

  • File d2ea05add9798c0b.zip added
  • File tls_random_session.pcap added
  • File deleted (tls-random.pcap)
  • Subject changed from tls.random buffers don't work with network variables. to tls.random buffers don't work when flow is to_client
  • File deleted (910a82d3a4a68145.zip)
Actions #3

Updated by Isaac Shaughnessy 8 months ago

  • File deleted (d2ea05add9798c0b.zip)
Actions #4

Updated by Isaac Shaughnessy 8 months ago

  • File deleted (tls_random_session.pcap)
Actions #5

Updated by Isaac Shaughnessy 8 months ago

  • Subject changed from tls.random buffers don't work when flow is to_client to tls.random buffers don't work as expected
Actions #6

Updated by Shivani Bhardwaj 8 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 8.0.0-beta1
Actions #7

Updated by Shivani Bhardwaj 8 months ago

  • Label Needs backport to 7.0 added
Actions #8

Updated by OISF Ticketbot 8 months ago

  • Subtask #6990 added
Actions #9

Updated by OISF Ticketbot 8 months ago

  • Label deleted (Needs backport to 7.0)
Actions #10

Updated by Shivani Bhardwaj 8 months ago

Hi @Isaac Shaughnessy !

Thank you for the excellent report. It is indeed an issue. I have opened a PR https://github.com/OISF/suricata/pull/10960 along with the tests per the pcaps you have shared.
Once the fix is merged in master, we shall backport it to the 7.0.x branch too.

Actions #11

Updated by Shivani Bhardwaj 8 months ago

  • Status changed from Assigned to In Review
Actions #12

Updated by Shivani Bhardwaj 8 months ago

  • Status changed from In Review to Resolved
Actions #13

Updated by Shivani Bhardwaj 8 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF