Bug #3218: ssl_state does the wrong thing - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #3218

open

ssl_state does the wrong thing

Added by Travis Green about 5 years ago. Updated about 1 month ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Affected Versions:

4.1.5, 5.0rc1

Effort:

Difficulty:

Label:

Description

The ssl_state keyword does not alert on the correct state when specified in the rule.

Example 1: should work with client_hello, but only works with server_hello

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS incorrect state (server_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:server_hello; classtype:attempted-admin; sid:1003923; rev:1;)

alert tls any any -> any [465,25,587] (msg:"Test 1 SNI in SMTPS desired state (client_hello)"; tls_sni; content:"flagstring"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003924; rev:1;)

fast.log:
09/30/2019-19:55:33.413760 [**] [1:1003923:1] Test 1 SNI in SMTPS incorrect state (server_hello) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.4.5:55804 -> 69.167.159.100:587

Example 2: should work with client_hello, but only works with server_keyx

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS incorrect state (server_keyx)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:server_keyx; classtype:attempted-admin; sid:1003925; rev:1;)

alert tls any any -> any any (msg:"Test 2 SNI in HTTPS correct state (client_hello)"; tls_sni; content:"www.google.com"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:1003926; rev:1;)

fast.log:
09/27/2019-17:32:40.365473 [**] [1:1003925:1] Test 2 SNI in HTTPS incorrect state (server_keyx) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.100.10:49159 -> 172.217.4.68:443

Example 3: should only alert with server_hello state, instead alerts with client_keyx

alert tls any any -> any any (msg:"Test 3 HTTPS certificate incorrect state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:client_keyx; classtype:attempted-admin; sid:1003928; rev:1;)

alert tls any any -> any any (msg:"Test 3 HTTPS certificate desired state"; content:"Google Trust Services"; flow:established,to_client; ssl_state:server_hello; classtype:attempted-admin; sid:1003929; rev:1;)

fast.log
09/27/2019-17:32:40.416945 [**] [1:1003928:1] Test 3 HTTPS certificate incorrect state [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.217.4.68:443 -> 192.168.100.10:49159

Tested with:
5.0.0-dev (9340769ad 2019-09-29)
4.1.5 RELEASE (with and without rust)

Files

Download all files

slice_smtps.pcap (8.25 KB) slice_smtps.pcap		Travis Green, 10/04/2019 09:11 PM
slice_https.pcap (55.5 KB) slice_https.pcap		Travis Green, 10/04/2019 09:11 PM

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #3218

ssl_state does the wrong thing

Updated by Andreas Herz about 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Philippe Antoine almost 3 years ago

Updated by Victor Julien about 2 years ago

Updated by Victor Julien about 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien over 1 year ago

Updated by Philippe Antoine over 1 year ago

Updated by Victor Julien about 1 month ago

Updated by Victor Julien about 1 month ago