Bug #6989
Updated by Isaac Shaughnessy 23 days ago
While working on updating some old tls signatures I noticed some strange behavior while found that the @tls.random@ and @tls.random_time@ buffers do not work as expected when using @tls.random_time@ where it looks like the flow isn't being interpreted correctly. @$HOME_NET/$EXTERNAL_NET@ variables. In this sample the attached pcap there is a Client/Server Hello that exibits this behavior. The tls random time in the @CLIENT HELLO@ value is @54b4c97b4fcfbc5a01ec4a73c86dbbc0869f7ba9086a60370581971ac89f45e5@ with @54 b4 c9 7b@ and is observered going being the time. For testing I'm using the following signatures; @sid:1@ was taken from @10.10.1.1 -> 200.87.8.4@. The following the suricata-verify rules match on which alerts but sid:2 does not. I've attached the @CLIENT HELLO@ data with pcap as well as the only difference being @to_client@/@to_server@, based on logs from my Dalton run which includes the network traffic we would expect that @CLIENT HELLO DATA - to_server (sid:1)@ would alert; instead @CLIENT HELLO DATA - to_client (sid:2)@ triggers. <pre> alert .yaml I'm using. https://github.com/OISF/suricata-verify/blob/3c1b017ac400911932b9f6836956472eed0720e1/tests/tls/tls-random/test.rules @alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; (msg:"Test tls.random_time option SERVER HELLO"; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;) sid:1;)@ alert @alert tls $HOME_NET any any -> $EXTERNAL_NET any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; (flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;) </pre> sid:2;)@ Eve.json: <pre> "event_type": "alert", "src_ip": "200.87.8.4", "src_port": 443, "dest_ip": "10.10.1.1", "dest_port": 1117, "signature": "CLIENT HELLO DATA - to_client", </pre> Conversely the random time in the @SERVER HELLO@ is @54 b8 f7 73@ and traffic flows @200.87.8.4 -> 10.10.1.1@. My signature @SERVER HELLO DATA - to_client (sid:4)@ does not alert; @SERVER HELLO DATA - to_server (sid:3)@ alerts instead. <pre> alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;) alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;) </pre> Eve.json <pre> "event_type": "alert", "src_ip": "10.10.1.1", "src_port": 1117, "dest_ip": "200.87.8.4", "dest_port": 443, "signature": "SERVER HELLO DATA - to_server", </pre> Thanks, Isaac