Bug #6989
closedtls.random buffers don't work as expected
Description
While updating some old tls signatures I noticed some strange behavior while using tls.random_time where it looks like the flow isn't being interpreted correctly. In the attached pcap there is a Client/Server Hello that exibits this behavior.
The random time in the CLIENT HELLO is 54 b4 c9 7b and is observered going from 10.10.1.1 -> 200.87.8.4. The following rules match on the CLIENT HELLO data with the only difference being to_client/to_server, based on the network traffic we would expect that CLIENT HELLO DATA - to_server (sid:1) would alert; instead CLIENT HELLO DATA - to_client (sid:2) triggers.
alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;) alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;)
Eve.json:
"event_type": "alert",
"src_ip": "200.87.8.4",
"src_port": 443,
"dest_ip": "10.10.1.1",
"dest_port": 1117,
"signature": "CLIENT HELLO DATA - to_client",
Conversely the random time in the SERVER HELLO is 54 b8 f7 73 and traffic flows 200.87.8.4 -> 10.10.1.1. My signature SERVER HELLO DATA - to_client (sid:4) does not alert; SERVER HELLO DATA - to_server (sid:3) alerts instead.
alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;) alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;)
Eve.json
"event_type": "alert",
"src_ip": "10.10.1.1",
"src_port": 1117,
"dest_ip": "200.87.8.4",
"dest_port": 443,
"signature": "SERVER HELLO DATA - to_server",
Thanks,
Isaac
Files
Updated by Isaac Shaughnessy 6 months ago ยท Edited
- File d2ea05add9798c0b.zip added
- File tls_random_session.pcap added
- File deleted (
tls-random.pcap) - Subject changed from tls.random buffers don't work with network variables. to tls.random buffers don't work when flow is to_client
- File deleted (
910a82d3a4a68145.zip)
Updated by Isaac Shaughnessy 6 months ago
- File Dalton-Submission.zip Dalton-Submission.zip added
- File 2021379_1_session_random.pcap 2021379_1_session_random.pcap added
- Description updated (diff)
Updated by Isaac Shaughnessy 6 months ago
- File deleted (
tls_random_session.pcap)
Updated by Isaac Shaughnessy 6 months ago
- Subject changed from tls.random buffers don't work when flow is to_client to tls.random buffers don't work as expected
Updated by Shivani Bhardwaj 6 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Target version changed from TBD to 8.0.0-beta1
Updated by Shivani Bhardwaj 6 months ago
Hi @Isaac Shaughnessy !
Thank you for the excellent report. It is indeed an issue. I have opened a PR https://github.com/OISF/suricata/pull/10960 along with the tests per the pcaps you have shared.
Once the fix is merged in master, we shall backport it to the 7.0.x branch too.
Updated by Shivani Bhardwaj 6 months ago
- Status changed from Assigned to In Review
Updated by Shivani Bhardwaj 6 months ago
- Status changed from In Review to Resolved
Closed by: https://github.com/OISF/suricata/pull/10960
Updated by Shivani Bhardwaj 6 months ago
- Status changed from Resolved to Closed