Project

General

Profile

Actions

Bug #6989

closed

tls.random buffers don't work as expected

Added by Isaac Shaughnessy 8 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

While updating some old tls signatures I noticed some strange behavior while using tls.random_time where it looks like the flow isn't being interpreted correctly. In the attached pcap there is a Client/Server Hello that exibits this behavior.

The random time in the CLIENT HELLO is 54 b4 c9 7b and is observered going from 10.10.1.1 -> 200.87.8.4. The following rules match on the CLIENT HELLO data with the only difference being to_client/to_server, based on the network traffic we would expect that CLIENT HELLO DATA - to_server (sid:1) would alert; instead CLIENT HELLO DATA - to_client (sid:2) triggers.

alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;)
alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;)

Eve.json:

    "event_type": "alert",
    "src_ip": "200.87.8.4",
    "src_port": 443,
    "dest_ip": "10.10.1.1",
    "dest_port": 1117,
    "signature": "CLIENT HELLO DATA - to_client",

Conversely the random time in the SERVER HELLO is 54 b8 f7 73 and traffic flows 200.87.8.4 -> 10.10.1.1. My signature SERVER HELLO DATA - to_client (sid:4) does not alert; SERVER HELLO DATA - to_server (sid:3) alerts instead.

alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;)
alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;)

Eve.json

    "event_type": "alert",
    "src_ip": "10.10.1.1",
    "src_port": 1117,
    "dest_ip": "200.87.8.4",
    "dest_port": 443,
    "signature": "SERVER HELLO DATA - to_server",

Thanks,
Isaac


Files

Dalton-Submission.zip (73.6 KB) Dalton-Submission.zip eve.json / suri.yaml / rules Isaac Shaughnessy, 04/26/2024 02:00 AM
2021379_1_session_random.pcap (1.91 KB) 2021379_1_session_random.pcap pcap Isaac Shaughnessy, 04/26/2024 02:00 AM

Subtasks 1 (0 open1 closed)

Bug #6990: tls.random buffers don't work as expected (7.0.x backport)ClosedShivani BhardwajActions
Actions

Also available in: Atom PDF