Actions
Bug #5713
openTLSv1 not logged into tls events.
Affected Versions:
Effort:
Difficulty:
Label:
Description
The attached is a single stream pcap from a malicious C2 beacon occurring multiple times over time.
It has 3whs and tear down but only one client hello packet , ack-ed by the server though.
The TLS version is TLSv1 according to Wireshark. Suricata protocol logs for TLS version displays "undetermined".
In this case it would be helpful if the protocol version is included in the log from security analysts/hunting perspective. It could maybe even be anomaly event ?
{ "timestamp": "2022-11-24T11:16:23.277657+0100", "flow_id": 2240760637570876, "pcap_cnt": 9, "event_type": "tls", "src_ip": "192.168.46.2", "src_port": 49905, "dest_ip": "91.254.215.167", "dest_port": 443, "proto": "TCP", "pkt_src": "wire/pcap", "metadata": { "flowbits": [ "ET.Evil", "ET.BotccIP" ] }, "tls": { "version": "UNDETERMINED", "ja3": { "hash": "49ed2ef3f1321e5f044f1e71b0e6fdd5", "string": "769,49162-49161-49172-49171-53-47-10,5-10-11-35-23-65281,29-23-24,0" } } }
Tested on 7.0.0-beta1
Files
Updated by Peter Manev about 2 years ago
Thank you to the user "woundride" at https://discord.com/channels/911231224448712714/911238451842666546/1044761526109737012
https://www.youtube.com/watch?v=WfbD-L2kXbk
for providing the pcap !
Actions