Project

General

Profile

Actions

Bug #7331

closed

Packet direction check incorrect for Lua TLS functions

Added by Chris Wakelin 2 months ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Low
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

I created a simple Lua rule to check for a TLS "notbefore" certificate date less than three days old. It didn't work until I changed the direction checks in util-lua-tls.c :

Lua:

function init(args)
    local needs = {}
    needs["tls"] = tostring(true)
    return needs
end

function match(args)
    local nb = TlsGetCertNotBefore()
    local startts_s, lastts_s, startts_us, lastts_us = SCFlowTimestamps()
    if nb == nil or startts_s == nil then
        return 0
    end

    -- local age = (os.time() - nb) / 86400
    local age = (startts_s - nb) / 86400
    if age > 0 and age < 3 then
    return 1
    end

    return 0
end

Diff:

--- src/util-lua-tls.c.safe    2024-06-13 16:14:43.648711557 +0100
+++ src/util-lua-tls.c    2024-09-24 12:52:06.802451772 +0100
@@ -64,7 +64,7 @@
     SSLState *ssl_state = (SSLState *)state;
     SSLStateConnp *connp = NULL;

-    if (direction) {
+    if (!direction) {
         connp = &ssl_state->client_connp;
     } else {
         connp = &ssl_state->server_connp;
@@ -105,7 +105,7 @@
     SSLState *ssl_state = (SSLState *)state;
     SSLStateConnp *connp = NULL;

-    if (direction) {
+    if (!direction) {
         connp = &ssl_state->client_connp;
     } else {
         connp = &ssl_state->server_connp;
@@ -146,7 +146,7 @@
     SSLState *ssl_state = (SSLState *)state;
     SSLStateConnp *connp = NULL;

-    if (direction) {
+    if (!direction) {
         connp = &ssl_state->client_connp;
     } else {
         connp = &ssl_state->server_connp;
@@ -287,7 +287,7 @@
     SSLState *ssl_state = (SSLState *)state;
     SSLStateConnp *connp = NULL;

-    if (direction) {
+    if (!direction) {
         connp = &ssl_state->client_connp;
     } else {
         connp = &ssl_state->server_connp;

Please can you check to see if this is correct? I can supply PCAPs (from our Sandbox or behaviour runs in VT) if required.

Actions #1

Updated by Chris Wakelin about 1 month ago

  • Status changed from New to Rejected
  • Assignee changed from Eric Leblond to Chris Wakelin

It turns out I'd got the direction wrong in the actual rule. When I added an extra "tls_cert_notbefore:" keyword to the rule it warned me that this was incompatible with the direction, and this indeed was the case!

Actions

Also available in: Atom PDF