<div dir="ltr"><div>Hi,</div><div><br></div><div>If I remember correctly, in the suricata.yaml file, you should have a section called "port-groups". There you can define your variable with the ports you want, for example:<br></div><div><br></div><div>port-groups:</div><div> TLS_PORTS: "[443,465,587,853]<span style="font-size:11pt;color:black" lang="EN-US"></span>"</div><div>
NOT_TLS_PORTS: "!TLS_PORTS"</div><div> (...)<br></div><div><br></div><div>Then in the rule change the port part from
<span lang="EN-US">"![443,465,587]" </span>to "$NOT_TLS_PORTS".<br></div><div><br></div><div>Cheers,</div><div>Duarte<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Carlos Lopez <<a href="mailto:clopmz@outlook.com">clopmz@outlook.com</a>> escreveu no dia domingo, 5/01/2020 à(s) 17:53:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="ES">
<div class="gmail-m_-1641241010365117618WordSection1">
<p class="MsoNormal"><span lang="EN-US">I have found the problem: it is the rule:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual port"; flow:to_server; app-layer-protocol:tls; threshold:type limit, track by_src, seconds 60, count 1; sid:2610003;
rev:1;)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">As you can see, TLS ports are hardcoded … Is it possible to change as a variable?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">-- <u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Regards,<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US">C. L. Martinez</span><span lang="EN-US"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<div style="border-color:rgb(181,196,223) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12pt;color:black">From: </span></b><span style="font-size:12pt;color:black">Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lists.openinfosecfoundation.org</a>> on behalf of Carlos Lopez <<a href="mailto:clopmz@outlook.com" target="_blank">clopmz@outlook.com</a>><br>
<b>Date: </b>Sunday, 5 January 2020 at 14:23<br>
<b>To: </b>Konstantin Klinger <<a href="mailto:konstantinklinger@mailbox.org" target="_blank">konstantinklinger@mailbox.org</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br>
<b>Subject: </b>Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal"><span lang="EN-US">Uhmmm … strange. Ok, I will check it to see If I have done some mistake with my suricata’s config.</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">Many thanks for your help Konstantin.</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<div>
<p class="MsoNormal"><span lang="EN-US">-- </span><u></u><u></u></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Regards,</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US">C. L. Martinez</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<div style="border-color:rgb(181,196,223) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12pt;color:black">From: </span></b><span style="font-size:12pt;color:black">Konstantin Klinger <<a href="mailto:konstantinklinger@mailbox.org" target="_blank">konstantinklinger@mailbox.org</a>><br>
<b>Date: </b>Sunday, 5 January 2020 at 14:19<br>
<b>To: </b>Carlos Lopez <<a href="mailto:clopmz@outlook.com" target="_blank">clopmz@outlook.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br>
<b>Subject: </b>Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Works for me as expected with Suricata 5.0. Suricata can parse TLS on that port as expected and parses it also. Eve json output and alert generation are working.
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">suricata.yaml: <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">tls: <br>
enabled: yes <br>
detection-ports: <br>
dp: 443, 853 <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">fast.log: <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">01/05/2020-13:47:29.304261 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.304418 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.304421 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.304422 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.311176 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.331169 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.331457 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.331842 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.351653 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.419592 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.419935 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.420171 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.439981 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.440178 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<br>
01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a> -> <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a>
<br>
01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} <a href="http://1.1.1.1:853" target="_blank">1.1.1.1:853</a> -> <a href="http://172.22.54.6:16358" target="_blank">172.22.54.6:16358</a>
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Rule: <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">alert tls any any -> any any (msg:"FOO TLS"; sid:1; rev:1;) <u></u>
<u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Example eve json output entry: <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">{ <br>
"timestamp": "2020-01-05T13:47:29.304422+0100", <br>
"flow_id": 84670362485565, <br>
"pcap_cnt": 8, <br>
"event_type": "tls", <br>
"src_ip": "172.22.54.6", <br>
"src_port": 16358, <br>
"dest_ip": "1.1.1.1", <br>
"dest_port": 853, <br>
"proto": "TCP", <br>
"tls": { <br>
"subject": "C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=<a href="http://cloudflare-dns.com" target="_blank">cloudflare-dns.com</a>",
<br>
"issuerdn": "C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA", <br>
"serial": "01:CC:E3:18:DE:9F:56:7F:AB:2B:24:90:1F:AD:A7:1D", <br>
"fingerprint": "66:56:84:01:72:b4:fb:bc:d6:d0:a4:a1:03:49:1e:93:00:4d:19:5f", <br>
"version": "TLS 1.2", <br>
"notbefore": "2019-01-28T00:00:00", <br>
"notafter": "2021-02-01T12:00:00", <br>
"ja3": {}, <br>
"ja3s": {} <br>
} <br>
} <u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal" style="margin-bottom:12pt">On January 5, 2020 at 1:50 PM Carlos Lopez <<a href="mailto:clopmz@outlook.com" target="_blank">clopmz@outlook.com</a>> wrote:
<u></u><u></u></p>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Hi Konstatin,<u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Pcap attached. I am using default config from Suricata install from source … The only option I have changed is dp …<u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Many thanks for your help.<u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">-- <u></u><u></u></p>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Regards,<u></u><u></u></p>
</div>
</div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">C. L. Martinez<u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
<div style="border-color:rgb(181,196,223) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"><strong><span style="font-size:12pt;font-family:"Calibri",sans-serif;color:black">From:
</span></strong><span style="font-size:12pt;color:black">Konstantin Klinger <<a href="mailto:konstantinklinger@mailbox.org" target="_blank">konstantinklinger@mailbox.org</a>><br>
<strong><span style="font-family:"Calibri",sans-serif">Date: </span></strong>Sunday, 5 January 2020 at 13:35<br>
<strong><span style="font-family:"Calibri",sans-serif">To: </span></strong>Carlos Lopez <<a href="mailto:clopmz@outlook.com" target="_blank">clopmz@outlook.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br>
<strong><span style="font-family:"Calibri",sans-serif">Subject: </span></strong>Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port
</span><u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Hi Carlos,<u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">could you please share your suricata.yaml and additional a sample pcap of your dns over tls traffic via port 853 if it is possible? If you would not like to share it publicly, but with with, I've attached my PGP key.<u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"> <u></u><u></u></p>
</div>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">Konstantin<u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal" style="margin-bottom:12pt">On January 5, 2020 at 1:08 PM Carlos Lopez <<a href="mailto:clopmz@outlook.com" target="_blank">clopmz@outlook.com</a>> wrote:<u></u><u></u></p>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black">Hi all,</span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black"> </span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black">I have a DNS cache server based in unbound redirecting all external queries to CloudFlare’s DNS servers via DNS over TLS and as I indicated in the subject, a lot of alerts are triggered
as “SURICATA TLS on unusual port”.</span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black"> </span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black">I have tried to inform to our Suricata sensors via “app-layer,tls,dp” port 853 is a valid TLS port without luck … I have checked any TLS variable for Suricata without result.</span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black"> </span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"><span style="color:black">Then how to inform Suricata port 853 as a valid port TLS?</span><u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"> <u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal"> <u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal">-- <u></u><u></u></p>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal">Regards,<u></u><u></u></p>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-ox-335a999652-msonormal">C. L. Martinez<u></u><u></u></p>
</div>
</div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal">_______________________________________________
<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a> <br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a> <br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a> <br>
<br>
Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a> <br>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><u></u><u></u></p>
</blockquote>
<div>
<p class="gmail-m_-1641241010365117618ox-5b4ed10b72-msonormal"><br>
<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><br>
<u></u><u></u></p>
</div>
</div>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>