Bug #5624
closedquic: rule with ja3.hash keyword fails to load
Added by Victor Julien about 2 years ago. Updated almost 2 years ago.
Description
28/10/2022 -- 19:18:29 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can't set rule app proto to tls: already set to quic 28/10/2022 -- 19:18:29 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert quic any any -> any any (msg:"LOCAL QUIC new JA3"; ja3.hash; dataset:set,quic-ja3-seen, type string, state quic-ja3-seen.csv; sid:8000008;)" from file /etc/suricata/local.rules at line 10
Philippe, this is supposed to work, right?
Updated by Philippe Antoine about 2 years ago
- Status changed from Assigned to In Review
It should and it does not.
Updated by Philippe Antoine about 2 years ago
Well, it does not work.
Should we redirect somehow redirect this to ja3.string; transform: to_md5
?
Updated by Victor Julien about 2 years ago
Philippe Antoine wrote in #note-2:
Well, it does not work.
Should we redirect somehow redirect this to
ja3.string; transform: to_md5
?
No? I don't see how that is related at all.
Updated by Philippe Antoine about 2 years ago
I don't see how that is related at all.
ja3.hash is the md5 of ja3.string
Is that clearer ?
Updated by Victor Julien about 2 years ago
I think we're talking about different issues. My point is that the rule shouldn't fail to load. Here's a simpler set w/o datasets:
alert quic any any -> any any (ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:1;) alert quic any any -> any any (ja3s.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:2;) alert ip any any -> any any (ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:3;) alert ip any any -> any any (ja3s.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:4;)
Results in
$ ./src/suricata -c suricata.yaml -l tmp/ -T -S quic-ja3.rules 29/10/2022 -- 16:05:06 - <Info> - Running suricata under test mode 29/10/2022 -- 16:05:06 - <Notice> - This is Suricata version 7.0.0-beta1 RELEASE running in SYSTEM mode 29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can't set rule app proto to tls: already set to quic 29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert quic any any -> any any (ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:1;)" from file quic-ja3.rules at line 1 29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can't set rule app proto to tls: already set to quic 29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert quic any any -> any any (ja3s.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:2;)" from file quic-ja3.rules at line 2 29/10/2022 -- 16:05:06 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Sid 3 and 4 also only apply to TLS, not quic:
{
"raw": "alert ip any any -> any any (ja3.hash; content:\"deadbeefdeadbeefdeadbeefdeadbeef\"; sid:3;)",
"id": 3,
"gid": 1,
"rev": 0,
"app_proto": "tls",
"requirements": [
"flow"
],
"flags": [
"src_any",
"dst_any",
"sp_any",
"dp_any",
"applayer",
"toserver",
"prefilter"
],
"pkt_engines": [],
"frame_engines": [],
"engines": [
{
"name": "ja3.hash",
"direction": "toserver",
"is_mpm": true,
"app_proto": "tls",
"progress": 0,
"matches": [
{
"name": "content",
"content": {
"pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
"length": 32,
"nocase": false,
"negated": false,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false
}
}
]
}
],
"lists": {},
"mpm": {
"buffer": "ja3.hash",
"pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
"length": 32,
"nocase": false,
"negated": false,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false
}
}
{
"raw": "alert ip any any -> any any (ja3s.hash; content:\"deadbeefdeadbeefdeadbeefdeadbeef\"; sid:4;)",
"id": 4,
"gid": 1,
"rev": 0,
"app_proto": "tls",
"requirements": [
"flow"
],
"flags": [
"src_any",
"dst_any",
"sp_any",
"dp_any",
"applayer",
"toclient",
"prefilter"
],
"pkt_engines": [],
"frame_engines": [],
"engines": [
{
"name": "ja3s.hash",
"direction": "toclient",
"is_mpm": true,
"app_proto": "tls",
"progress": 0,
"matches": [
{
"name": "content",
"content": {
"pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
"length": 32,
"nocase": false,
"negated": false,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false
}
}
]
}
],
"lists": {},
"mpm": {
"buffer": "ja3s.hash",
"pattern": "deadbeefdeadbeefdeadbeefdeadbeef",
"length": 32,
"nocase": false,
"negated": false,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false
}
}
I assumed that ja3(s) keywords would work with quic. Am I wrong?
Updated by Philippe Antoine almost 2 years ago
I think we're talking about different issues. My point is that the rule shouldn't fail to load.
Indeed I agree. That is what I am talking about as well.
I am wondering if the fix could be to make ja3.hash
some "alias" of md5(ja3.string)
That would remove redundant code, likely to get an error next time.
And I guess you know better than me if it is possible, and if it is a good idea (perf ?)
Is it clearer ?
Updated by Philippe Antoine almost 2 years ago
Updated by Philippe Antoine almost 2 years ago
- Status changed from In Review to Closed