Project

General

Profile

Actions

Bug #5183

closed

TLS Handshake Fragments not Reassembled

Added by Gianni Tedesco almost 3 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs Suricata-Verify test, Needs backport to 6.0

Description

TLS handshakes can be sent in multiple TLS frames. This is because the handshakes can be larger than the max size of a single frame (24 bits length field, vs 16 bits length field).

Suricata appears not to combine such fragments which means that TLS app-layer rules can be evaded and TLS events can be hidden if suricata is configured to log TLS events.

Attached are two semantically equivalent pcaps which show the same client hello message in wireshark but which produce INVALID_SSL_RECORD and INVALID_HANDSHAKE_MESSAGE anomaly events in Suricata.


Files

tls.pcap (2 KB) tls.pcap Baseline Gianni Tedesco, 03/08/2022 12:54 AM
tlsfrag.pcap (2.08 KB) tlsfrag.pcap Fragmented, semantically equivalent to baseline Gianni Tedesco, 03/08/2022 12:54 AM
tls.pcap (2 KB) tls.pcap Fragmented, semantically equivalent to baseline - Out of window fixed Iñaki McKearney, 09/15/2022 09:48 AM
tlsfrag.pcap (2.08 KB) tlsfrag.pcap Baseline - Out of window fixed Iñaki McKearney, 09/15/2022 09:48 AM

Subtasks 1 (0 open1 closed)

Bug #5796: TLS Handshake Fragments not Reassembled (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #5481: tls: support incomplete API to replace internal bufferingClosedVictor JulienActions
Actions #1

Updated by Victor Julien over 2 years ago

  • Priority changed from Normal to High
  • Target version changed from TBD to 7.0.0-beta1
  • Label Needs backport to 6.0 added
Actions #2

Updated by Victor Julien over 2 years ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
Actions #3

Updated by Victor Julien over 2 years ago

  • Label Needs Suricata-Verify test added
Actions #4

Updated by Victor Julien over 2 years ago

  • Related to Optimization #5481: tls: support incomplete API to replace internal buffering added
Actions #5

Updated by Victor Julien over 2 years ago

@Gianni Tedesco are you able to update the frag pcap to not have the server response be out of window?

Actions #6

Updated by Gianni Tedesco over 2 years ago

Yes, there must be a bug in the tool, will look into that.

Actions #7

Updated by Victor Julien over 2 years ago

  • Status changed from In Progress to In Review

Updated by Iñaki McKearney over 2 years ago

@Victor Julien @Gianni Tedesco Please find attached the updated pcaps.

Actions #9

Updated by Iñaki McKearney over 2 years ago

Please excuse the incorrect/swapped file comments on the fixed pcaps

Actions #10

Updated by Victor Julien over 2 years ago

  • Status changed from In Review to Closed
Actions #11

Updated by Orion Poplawski about 2 years ago

Is there any chance that this fix will get back ported to 6.0?

Actions #12

Updated by Victor Julien almost 2 years ago

  • Subtask #5796 added
Actions

Also available in: Atom PDF