Project

General

Profile

Actions
Copy link

Feature #2145

open

Relate directly flowid with certificate file

Added by Fanny Dwargee over 7 years ago. Updated over 7 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Hi,

Tested on Suricata v3.2.2

The meta file generated with the tls-store keyword doesn't include the flowid so currently we're unable to link what flow used what certificate.

IMHO a better solution would be including in the 'tls' event_type something similar to the 'fileinfo' structure as used in the 'fileinfo' event_type, obviously this would change how the certificate files are currently named.

So the current 'tls' json event_type (snipped for brevity)...

{
    "flow_id":918276836420885,
    "event_type":"tls",
    "tls":{ "subject":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com",
            "issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA",
            "fingerprint":"40:4b:bd:2f:1f:4c:c2:fd:ee:f1:3a:ab:dd:52:3e:f6:1f:1c:71:f3",
          }
}

...adding a new tlsinfo structure would become...

{
    "flow_id":918276836420885,
    "event_type":"tls",
    "tls":{ "subject":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com",
            "issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA",
            "fingerprint":"40:4b:bd:2f:1f:4c:c2:fd:ee:f1:3a:ab:dd:52:3e:f6:1f:1c:71:f3",
          }
    "tlsinfo":{
                 "md5":"xxxxxxxxxxxxxxxxxx",
                 "stored":true,
                 "tls_id":1,
                 "size":24576,
              }
}

...and in the folder where Suricata stores the certificates that meta file would contain:

$ cat certificate.1.meta
TIME:              06/13/2017-16:54:27.654090
PCAP PKT NUM:      15
SRC IP:            192.168.61.100
DST IP:            104.154.89.105
PROTO:             6
SRC PORT:          51375
DST PORT:          443
TLS SUBJECT:       OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com
TLS ISSUERDN:      C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
TLS FINGERPRINT:   40:4b:bd:2f:1f:4c:c2:fd:ee:f1:3a:ab:dd:52:3e:f6:1f:1c:71:f3

That makes sense for you?

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2196: Add flow_id to the file extracted .meta fileClosedJason IshActions
Actions
Copy link
 #1

Updated by Andreas Herz over 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Victor Julien about 5 years ago

  • Related to Feature #2196: Add flow_id to the file extracted .meta file added
Actions
Copy link

Also available in: Atom PDF