Actions
Bug #7250
opentls version match can have incorrect behaviour
Description
We have detailed TLS (event_type:tls) and flow (event_type:flow) logs where information about an encrypted session can be gathered.
However if a user wants to specifically create a signature to match and highlight old and insecure encryption connection , such a signature can be like so for tls 1.0 , based from https://docs.suricata.io/en/latest/rules/tls-keywords.html#ssl-version :
alert tls $HOME_NET any -> any any (msg:"TLSv1 match - weak and degraded encryption"; flow:to_server,established; ssl_version:tls1.0; threshold: type both, track by_both, count 1, seconds 360; sid:1110004; rev:4; target:src_ip; metadata: created_at 2024_07_27, updated_at 2024_08_27;)
There are cases however where this will match and the records produced as part of the metadata of the alert will be wrong and/or misleading.
Here are two examples below. One hast tls version "undetermined", the other tls version 1.2 - the expected result is to match on tls 1.0 though:
{
"timestamp": "2021-07-15T19:24:08.151236+0200",
"flow_id": 2099445387481783,
"pcap_cnt": 7,
"event_type": "alert",
"src_ip": "172.16.1.101",
"src_port": 49882,
"dest_ip": "52.143.82.23",
"dest_port": 443,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1110004,
"rev": 4,
"signature": "TLSv1 match - weak and degraded encryption ",
"category": "",
"severity": 3,
"source": {
"ip": "52.143.82.23",
"port": 443
},
"target": {
"ip": "172.16.1.101",
"port": 49882
},
"metadata": {
"created_at": [
"2024_07_27"
],
"updated_at": [
"2024_08_27"
]
}
},
"tls": {
"sni": "licensing.mp.microsoft.com",
"version": "UNDETERMINED"
},
"app_proto": "tls",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 3,
"bytes_toserver": 367,
"bytes_toclient": 174,
"start": "2021-07-15T19:24:07.947567+0200",
"src_ip": "172.16.1.101",
"dest_ip": "52.143.82.23",
"src_port": 49882,
"dest_port": 443
}
}
{
"timestamp": "2021-07-15T19:37:16.999929+0200",
"flow_id": 1189210365098734,
"pcap_cnt": 8,
"event_type": "alert",
"src_ip": "172.16.1.101",
"src_port": 49922,
"dest_ip": "88.80.148.177",
"dest_port": 443,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1110004,
"rev": 4,
"signature": "TLSv1 match - weak and degraded encryption ",
"category": "",
"severity": 3,
"source": {
"ip": "88.80.148.177",
"port": 443
},
"target": {
"ip": "172.16.1.101",
"port": 49922
},
"metadata": {
"created_at": [
"2024_07_27"
],
"updated_at": [
"2024_08_27"
]
}
},
"tls": {
"sni": "minicombosoft.com",
"version": "TLS 1.2"
},
"app_proto": "tls",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 4,
"bytes_toserver": 349,
"bytes_toclient": 235,
"start": "2021-07-15T19:37:16.407956+0200",
"src_ip": "172.16.1.101",
"dest_ip": "88.80.148.177",
"src_port": 49922,
"dest_port": 443
}
}
single stream pcaps to reproduce those cases attached.
Those were derived from https://www.malware-traffic-analysis.net/2021/07/15/index.html , many thanks for the public info !
Tested with 77.0.6 and master
This is Suricata version 8.0.0-dev (685baa968 2024-08-31)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 14.2.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
GeoIP2 support: yes
JA3 support: yes
JA4 support: yes
Non-bundled htp: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Systemd support: yes
Rust support: yes
Rust strict mode: yes
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.79.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.79.0
Python support: yes
Python path: /home/pevma/.pyenv/shims/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: no, not bundled
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /opt/suritest-git-latest
Configuration directory: /opt/suritest-git-latest/etc/suricata/
Log directory: /opt/suritest-git-latest/var/log/suricata/
--prefix /opt/suritest-git-latest
--sysconfdir /opt/suritest-git-latest/etc
--localstatedir /opt/suritest-git-latest/var
--datarootdir /opt/suritest-git-latest/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
PCAP_CFLAGS -I/usr/include
SECCFLAGS
Files
Updated by Philippe Antoine 2 months ago
- Related to Feature #2269: TLS: tls.version: allow negation or comparison added
Updated by Philippe Antoine 2 months ago
- Related to Bug #3220: ssl_version keyword negation (!) not working added
Updated by Philippe Antoine 2 months ago
- Affected Versions 8.0.0 added
- Affected Versions deleted (
git main)
Actions