Project

General

Profile

Bug #6989

Updated by Isaac Shaughnessy 8 months ago

While working on updating some old tls signatures I noticed some strange behavior while found that the @tls.random@ and @tls.random_time@ buffers do not work as expected when using @tls.random_time@ where it looks like the flow isn't being interpreted correctly. @$HOME_NET/$EXTERNAL_NET@ variables.  

 In this sample the attached pcap there is a Client/Server Hello that exibits this behavior. 

 The tls random time in the @CLIENT HELLO@ value is @54b4c97b4fcfbc5a01ec4a73c86dbbc0869f7ba9086a60370581971ac89f45e5@ with @54 b4 c9 7b@ and is observered going being the time. For testing I'm using the following signatures; @sid:1@ was taken from @10.10.1.1 -> 200.87.8.4@. The following the suricata-verify rules match on which alerts but sid:2 does not. I've attached the @CLIENT HELLO@ data with pcap as well as the only difference being @to_client@/@to_server@, based on logs from my Dalton run which includes the network traffic we would expect that @CLIENT HELLO DATA - to_server (sid:1)@ would alert; instead @CLIENT HELLO DATA - to_client (sid:2)@ triggers. 


 <pre> 
 alert .yaml I'm using.  

  https://github.com/OISF/suricata-verify/blob/3c1b017ac400911932b9f6836956472eed0720e1/tests/tls/tls-random/test.rules 

 @alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; (msg:"Test tls.random_time option SERVER HELLO"; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;) sid:1;)@ 
 alert @alert tls $HOME_NET any any -> $EXTERNAL_NET any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; (flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;) 
 </pre> sid:2;)@ 

 Eve.json: 
 <pre> 
	 "event_type": "alert", 
	 "src_ip": "200.87.8.4", 
	 "src_port": 443, 
	 "dest_ip": "10.10.1.1", 
	 "dest_port": 1117, 
	 "signature": "CLIENT HELLO DATA - to_client", 
 </pre> 


 Conversely the random time in the @SERVER HELLO@ is @54 b8 f7 73@ and traffic flows @200.87.8.4 -> 10.10.1.1@. My signature @SERVER HELLO DATA - to_client (sid:4)@ does not alert; @SERVER HELLO DATA - to_server (sid:3)@ alerts instead. 

 <pre> 
 alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;) 
 alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;) 
 </pre> 


 Eve.json 
 <pre> 
	 "event_type": "alert", 
	 "src_ip": "10.10.1.1", 
	 "src_port": 1117, 
	 "dest_ip": "200.87.8.4", 
	 "dest_port": 443, 
	 "signature": "SERVER HELLO DATA - to_server", 
 </pre> 


 Thanks, 
 Isaac

Back