Project

General

Profile

Actions

Feature #2962

open

eve: log more IKEv2 fields

Added by Michal Vymazal over 5 years ago. Updated almost 5 years ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

At this moment Suricata detects IKEv2 traffic, but the traffic analysis is little bit complicated.

here is a small illustrated guide for IKEv2

http://www.omnisecu.com/tcpip/ikev2-phase-1-and-phase-2-message-exchanges.php

I added my experimental IKEv2 suricata rules to this task too.

But, Moloch shows (IKEv2_Moloch_Screenshot_20190504_175220.png), in the Suricata section, only the Signatures which detect this traffic.

My proposal is to enhance the Suricata/Moloch plugins to show these parameters of the IKEv2 handshake (IKEv2-EventsList_Screenshot_20190504_175956.png)

ikev2.alg_auth
ikev2.alg_dh
ikev2.alg_enc
ikev2.alg_esn
ikev2.alg_prf
ikev2.errors
ikev2.exchange_type (at this time only numerical string, maybe standard descriprion will be better, like the other parameters)
ikev2.init_spi
ikev2.message_id
ikev2.notify
ikev2.payload
ikev2.resp_spi
ikev2.role
ikev2.version_major
ikev2.version_minor


Files

ike-rules-protocol.txt (8.21 KB) ike-rules-protocol.txt Michal Vymazal, 05/04/2019 03:36 PM
Internet Key Exchange Version 2 (IKEv2) Parameters.pdf (272 KB) Internet Key Exchange Version 2 (IKEv2) Parameters.pdf Michal Vymazal, 05/04/2019 03:38 PM
IKEv2_Moloch_Screenshot_20190504_175220.png (197 KB) IKEv2_Moloch_Screenshot_20190504_175220.png Michal Vymazal, 05/04/2019 03:53 PM
IKEv2_SA_INIT_Screenshot_20190424_174651.png (175 KB) IKEv2_SA_INIT_Screenshot_20190424_174651.png Michal Vymazal, 05/04/2019 03:56 PM
IKEv2-EventsList_Screenshot_20190504_175956.png (54.7 KB) IKEv2-EventsList_Screenshot_20190504_175956.png Michal Vymazal, 05/04/2019 04:00 PM
IKEv2_Moloch_Screenshot_20190504_175220-2.png (209 KB) IKEv2_Moloch_Screenshot_20190504_175220-2.png Moloch screen, the selected part will be enhanced with IKEv2 handshake proposals and exchange parameters Michal Vymazal, 11/23/2019 09:18 AM
Screenshot_20191123_094316.png (170 KB) Screenshot_20191123_094316.png List of IKEv2 parameters Michal Vymazal, 11/23/2019 09:20 AM
IKEv2-EventsList_Screenshot_20190504_175956.png (54.7 KB) IKEv2-EventsList_Screenshot_20190504_175956.png List of IKEv2 parameters Michal Vymazal, 11/23/2019 09:21 AM
Actions #1

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Are you interested to work on those as a contribution?

Actions #2

Updated by Michal Vymazal over 5 years ago

I will be very pleased. How can I help?

Actions #3

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Michal Vymazal

The necessary steps are explained in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing and https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide feel free to ask if you have any specific questions. You can also look at our github page https://github.com/OISF/suricata and see how we work with PRs.

Actions #4

Updated by Michal Vymazal over 5 years ago

OK. Give me a week to study the rules, developers guide and the Contribution Agreement.

Actions #5

Updated by Michal Vymazal over 5 years ago

Suricata code location - Moloch, Suricata plugins

I will be glad to cooperate on this projects

https://redmine.openinfosecfoundation.org/issues/2962
https://redmine.openinfosecfoundation.org/issues/2957

But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)
https://github.com/OISF/suricata

Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?

Thank you very much

Actions #6

Updated by Peter Manev over 5 years ago

May be Pierre Chifflier (pollux on #suricata IRC) could help with some guidance with respect to the Suricata code.

Actions #7

Updated by Victor Julien over 5 years ago

  • Subject changed from Suricata x Moloch - protocol detection. Proposals for IKEv2 to eve: log more IKEv2 fields
Actions #9

Updated by Victor Julien almost 5 years ago

  • Label Protocol added
Actions

Also available in: Atom PDF