Project

General

Profile

Actions

Bug #7250

open

tls version match can have incorrect behaviour

Added by Peter Manev 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We have detailed TLS (event_type:tls) and flow (event_type:flow) logs where information about an encrypted session can be gathered.
However if a user wants to specifically create a signature to match and highlight old and insecure encryption connection , such a signature can be like so for tls 1.0 , based from https://docs.suricata.io/en/latest/rules/tls-keywords.html#ssl-version :

  
alert tls $HOME_NET any -> any any (msg:"TLSv1 match - weak and degraded encryption"; flow:to_server,established; ssl_version:tls1.0; threshold: type both, track by_both, count 1, seconds 360; sid:1110004; rev:4; target:src_ip; metadata: created_at 2024_07_27, updated_at 2024_08_27;)

There are cases however where this will match and the records produced as part of the metadata of the alert will be wrong and/or misleading.
Here are two examples below. One hast tls version "undetermined", the other tls version 1.2 - the expected result is to match on tls 1.0 though:

{
  "timestamp": "2021-07-15T19:24:08.151236+0200",
  "flow_id": 2099445387481783,
  "pcap_cnt": 7,
  "event_type": "alert",
  "src_ip": "172.16.1.101",
  "src_port": 49882,
  "dest_ip": "52.143.82.23",
  "dest_port": 443,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1110004,
    "rev": 4,
    "signature": "TLSv1 match - weak and degraded encryption ",
    "category": "",
    "severity": 3,
    "source": {
      "ip": "52.143.82.23",
      "port": 443
    },
    "target": {
      "ip": "172.16.1.101",
      "port": 49882
    },
    "metadata": {
      "created_at": [
        "2024_07_27" 
      ],
      "updated_at": [
        "2024_08_27" 
      ]
    }
  },
  "tls": {
    "sni": "licensing.mp.microsoft.com",
    "version": "UNDETERMINED" 
  },
  "app_proto": "tls",
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "bytes_toserver": 367,
    "bytes_toclient": 174,
    "start": "2021-07-15T19:24:07.947567+0200",
    "src_ip": "172.16.1.101",
    "dest_ip": "52.143.82.23",
    "src_port": 49882,
    "dest_port": 443
  }
}

{
  "timestamp": "2021-07-15T19:37:16.999929+0200",
  "flow_id": 1189210365098734,
  "pcap_cnt": 8,
  "event_type": "alert",
  "src_ip": "172.16.1.101",
  "src_port": 49922,
  "dest_ip": "88.80.148.177",
  "dest_port": 443,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1110004,
    "rev": 4,
    "signature": "TLSv1 match - weak and degraded encryption ",
    "category": "",
    "severity": 3,
    "source": {
      "ip": "88.80.148.177",
      "port": 443
    },
    "target": {
      "ip": "172.16.1.101",
      "port": 49922
    },
    "metadata": {
      "created_at": [
        "2024_07_27" 
      ],
      "updated_at": [
        "2024_08_27" 
      ]
    }
  },
  "tls": {
    "sni": "minicombosoft.com",
    "version": "TLS 1.2" 
  },
  "app_proto": "tls",
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 4,
    "bytes_toserver": 349,
    "bytes_toclient": 235,
    "start": "2021-07-15T19:37:16.407956+0200",
    "src_ip": "172.16.1.101",
    "dest_ip": "88.80.148.177",
    "src_port": 49922,
    "dest_port": 443
  }
}

single stream pcaps to reproduce those cases attached.
Those were derived from https://www.malware-traffic-analysis.net/2021/07/15/index.html , many thanks for the public info !

Tested with 77.0.6 and master

This is Suricata version 8.0.0-dev (685baa968 2024-08-31)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2 
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 14.2.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  GeoIP2 support:                          yes
  JA3 support:                             yes
  JA4 support:                             yes
  Non-bundled htp:                         no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  Landlock support:                        yes
  Systemd support:                         yes

  Rust support:                            yes
  Rust strict mode:                        yes
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.79.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.79.0

  Python support:                          yes
  Python path:                             /home/pevma/.pyenv/shims/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 no, not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Development settings:
  Coccinelle / spatch:                     yes
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Fuzz targets enabled:                    no

Generic build parameters:
  Installation prefix:                     /opt/suritest-git-latest
  Configuration directory:                 /opt/suritest-git-latest/etc/suricata/
  Log directory:                           /opt/suritest-git-latest/var/log/suricata/

  --prefix                                 /opt/suritest-git-latest
  --sysconfdir                             /opt/suritest-git-latest/etc
  --localstatedir                          /opt/suritest-git-latest/var
  --datarootdir                            /opt/suritest-git-latest/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                


Files

TLSv1WrongMatch-1.pcap (817 Bytes) TLSv1WrongMatch-1.pcap Peter Manev, 09/09/2024 04:30 PM
TLSv1WrongMatch-2.pcap (876 Bytes) TLSv1WrongMatch-2.pcap Peter Manev, 09/09/2024 04:30 PM

No data to display

Actions

Also available in: Atom PDF