[Oisf-users] TLS rule not matching certificate subject all the time

Anoop Saldanha anoopsaldanha at gmail.com
Fri Nov 9 05:50:51 UTC 2012 

Copying Pierre, Will and Matt.

On Fri, Nov 9, 2012 at 2:29 AM, Matthew Keeler <mk at npulsetech.com> wrote:
> I think I may have found the problem. Sometimes when there is a resumed TLS session (where it doesn't send the certificate) Suricata doesn't detect the cert. However other times it does. Does Suricata cache any SSL session ids and determine the certificate from the session if it is being re-used instead of a transmitted certificate? That would explain some of the odd behavior I am seeing where at times it will match everything and others it wont.
>

Right.

Maybe the rule writers can provide some insight on what the keyword
should match on.

Whether the rule should only match on a stream carrying the cert
transmitted, or should it also match on streams that initiates reusing
old sessions.

> Matt Keeler
>
>
> On Nov 8, 2012, at 8:56 AM, Victor Julien <lists at inliniac.net> wrote:
>
>> On 11/08/2012 02:46 PM, Matthew Keeler wrote:
>>> Was using the autofp runmode. I will try with the workers run mode and see if it resolves anything.
>>
>> Can you reproduce it with a pcap file?
>>
>> Cheers,
>> Victor
>>
>>>
>>> Matt Keeler
>>>
>>> On Nov 7, 2012, at 5:19 PM, Eric Leblond <eric at regit.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> Le mercredi 07 novembre 2012 à 16:53 -0500, Matthew Keeler a écrit :
>>>>> I am experimenting with some Suricata rules and have a rule of the form
>>>>>
>>>>> "alert tls any any -> any any (msg: "Some message" tls.subject: "<the cert subject>"; sid:<sid> rev:1; )"
>>>>>
>>>>> I then run a curl command to reach out to an https enabled website with a certificate that has the same subject as the one in the rule. Sometimes I get the alert and sometimes I do not. It seems rather random when the alert is raised and when it is ignored.
>>>>>
>>>>> I have verified in Wireshark that the certificate is being sent every time.
>>>>>
>>>>> Is there a reason why Suricata would only occasionally find the certificate?
>>>>
>>>> No specific reason. One of the possibility is that there is some
>>>> streaming errors. What is the running mode used ? Workers with flow base
>>>> locad-balancing on top should provide good result and avoid this kind of
>>>> problem.
>>>>
>>>>
>>>> BR,
>>>>
>>>>>
>>>>> Thanks
>>>>> Matt Keeler--------------------------------------------------------------------
>>>>> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
>>>>>
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>
>>>>
>>>
>>> --------------------------------------------------------------------
>>> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
> --------------------------------------------------------------------
> The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Anoop Saldanha

More information about the Oisf-users mailing list