Project

General

Profile

Actions
Copy link

Bug #4917

open

tls: leading GAP in toserver direction leads to various issues

Added by Victor Julien almost 3 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Attached is a pcap from https://github.com/OISF/suricata-verify/tree/master/tests/tls-ja3s, but with the first data segment to the server (the client hello) removed.

This leads to various issues:
  • flow logging app_proto as "failed", even if app_proto_tc is "tls".
  • no TLS logging or inspection
  • no GAP detected
  • app-layer event applayer_wrong_direction_first_data triggering

The parser does not support GAPs or first data into the toclient direction. Since the leading GAP isn't detected (in time), the first data sent to the parser is in the toclient direction. This is then rejected and leads to the event and failure state for the flow.

Files

tls-ja3s-sv-test-1st-segment-missing.pcap (9.59 KB) tls-ja3s-sv-test-1st-segment-missing.pcap Victor Julien, 12/19/2021 09:05 AM

Related issues 2 (2 open0 closed)

Related to Suricata - Task #3560: ssl/tls: support GAP recoveryNewOISF DevActions
Related to Suricata - Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocolsNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien almost 3 years ago

  • Related to Task #3560: ssl/tls: support GAP recovery added
Actions
Copy link
 #2

Updated by Victor Julien almost 3 years ago

  • Related to Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocols added
Actions
Copy link
 #3

Updated by Philippe Antoine over 1 year ago

  • Target version set to 8.0.0-beta1
Actions
Copy link
 #4

Updated by Philippe Antoine over 1 year ago

  • Assignee set to OISF Dev
Actions
Copy link

Also available in: Atom PDF