Bug #2861
closed
Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works
Added by Michal Vymazal almost 6 years ago.
Updated over 5 years ago.
Description
This rule
alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224005; rev:1;)
Doesn't detect weak modp 1024 Diffie-Hellmann parameter
pcap file attached
- suricata --build-info
This is Suricata version 4.1.0-dev (rev 8709a20d)
Files
- Assignee set to Pierre Chifflier
Pierre, could you check this one as well? Thanks!
Thanks for the pcap!
A first look at the code shows that internally the weak DH parameters are correctly detected (https://github.com/OISF/suricata/blob/master-4.1.x/rust/src/ikev2/ikev2.rs#L310-L311).
However, I confirm that while the transaction is created and the event is set, no alert is raised. I'm investigating further.
Note: I have found some problems with names in `rules/ipsec-events.rules`, so I'll also fix this.
- Status changed from New to Resolved
- Copied to Bug #2865: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works (4.1.x) added
- Target version set to TBD
- Status changed from Resolved to Closed
Also available in: Atom
PDF