[Oisf-users] Possibly bogus TLS rule?

James Moe jimoe at sohnen-moe.com
Wed Dec 7 17:58:11 UTC 2016 

Hello,
  suricata 3.2.0
  linux 4.4.27-2-default x86_64

  The site is one of Verizon's many. While it is possible, it seems
unlikely that Verizon's admins would create a defective SSL certificate.

12/07/2016-10:36:36.269096  [**] [1:2230015:1] SURICATA TLS invalid
record version [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] {TCP} 97.44.64.107:3111 -> 192.168.69.246:993

$ host 97.44.64.107
107.64.44.97.in-addr.arpa domain name pointer 107.sub-97-44-64.myvzw.com.

  Another common one that is flagged is Google:
12/07/2016-10:23:48.122525  [**] [1:2230015:1] SURICATA TLS invalid
record version [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] {TCP} 192.168.69.115:54550 -> 74.125.199.16:993

$ host 74.125.199.16
16.199.125.74.in-addr.arpa domain name pointer ph-in-f16.1e100.net.

  From the alert log:
+================
TIME:              12/07/2016-10:23:48.122525
PKT SRC:           wire/pcap
SRC IP:            74.125.199.16
DST IP:            192.168.69.115
PROTO:             6
SRC PORT:          993
DST PORT:          54550
TCP SEQ:           2490186892
TCP ACK:           1338436450
FLOW:              to_server: FALSE, to_client: TRUE
FLOW Start TS:     12/07/2016-10:08:43.922706
FLOW PKTS TODST:   24
FLOW PKTS TOSRC:   30
FLOW Total Bytes:  5547
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: TRUE, APP_LAYER: TRUE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 4
FLOWVAR idx(211):    4"PACKET LEN:        73
PACKET:
 0000  45 00 00 49 0C BF 40 00  40 06 16 47 4A 7D C7 10   E..I.. at . @..GJ}..
 0010  C0 A8 45 73 03 E1 D5 16  94 6D 3C 8C 4F C6 EB 62   ..Es.... .m<.O..b
 0020  50 14 01 54 26 8D 00 00  28 52 65 66 2E 49 64 3A   P..T&... (Ref.Id:
 0030  20 3F 73 75 66 4B 36 73  57 57 32 35 46 34 43 73    ?sufK6s WW25F4Cs
 0040  37 43 45 57 34 4D 4D 3F  29                        7CEW4MM? )
ALERT CNT:           2
ALERT MSG [00]:      SURICATA TLS invalid record/traffic
ALERT GID [00]:      1
ALERT SID [00]:      2230010
ALERT REV [00]:      1
ALERT CLASS [00]:    Generic Protocol Command Decode
ALERT PRIO [00]:     3
ALERT FOUND IN [00]: STATE
ALERT IN TX [00]:    0
PAYLOAD LEN:         33
PAYLOAD:
 0000  28 52 65 66 2E 49 64 3A  20 3F 73 75 66 4B 36 73   (Ref.Id:  ?sufK6s
 0010  57 57 32 35 46 34 43 73  37 43 45 57 34 4D 4D 3F   WW25F4Cs 7CEW4MM?
 0020  29                                                 )
STREAM DATA LEN:     143
STREAM DATA:
 0000  16 03 03 00 57 02 00 00  53 03 03 58 48 42 1C 80   ....W... S..XHB..
 0010  59 BA 9F F8 00 22 0C C2  21 F1 1A F9 0E BA 41 E7   Y....".. !.....A.
 0020  5B 34 72 BE DE EB 36 86  31 E9 82 20 E2 52 56 19   [4r...6. 1.. .RV.
 0030  8E 16 EF 0B E3 6F 64 12  10 D2 12 37 51 B2 D4 B9   .....od. ...7Q...
 0040  DC 81 53 24 18 CE 8F E6  6F 1D C6 D9 C0 2F 00 00   ..S$.... o..../..
 0050  0B FF 01 00 01 00 00 0B  00 02 01 00 14 03 03 00   ........ ........
 0060  01 01 16 03 03 00 28 00  00 00 00 00 00 00 00 92   ......(. ........
 0070  98 BE 94 F2 16 79 81 6C  70 83 58 26 DA 67 5A BF   .....y.l p.X&.gZ.
 0080  74 43 1F A9 F4 B5 8C 7A  5A 27 72 6B DD 56 A4      tC.....z Z'rk.V.
STREAM DATA LEN:     97
STREAM DATA:
 0000  17 03 03 00 5C 00 00 00  00 00 00 00 01 14 79 D1   ....\... ......y.
 0010  18 63 DC 4E FF 32 4A 30  A9 C6 49 1C 10 F5 E3 89   .c.N.2J0 ..I.....
 0020  9D 33 C8 C9 CC 9A CB 55  82 7A 49 A9 85 58 2D 3D   .3.....U .zI..X-=
 0030  E6 88 A3 5C 71 A1 A9 10  2A 8F CA BA 92 BD 31 2A   ...\q... *.....1*
 0040  17 EE E2 27 01 0D C1 BD  46 F9 11 49 B3 C1 5E 84   ...'.... F..I..^.
 0050  F4 91 12 F0 6B 02 3C 3B  C8 B0 8F 62 B1 F9 FA 32   ....k.<; ...b...2
 0060  61                                                 a
ALERT MSG [01]:      SURICATA TLS invalid record version
ALERT GID [01]:      1
ALERT SID [01]:      2230015
ALERT REV [01]:      1
ALERT CLASS [01]:    Generic Protocol Command Decode
ALERT PRIO [01]:     3
ALERT FOUND IN [01]: STATE
ALERT IN TX [01]:    0
PAYLOAD LEN:         33
PAYLOAD:
 0000  28 52 65 66 2E 49 64 3A  20 3F 73 75 66 4B 36 73   (Ref.Id:  ?sufK6s
 0010  57 57 32 35 46 34 43 73  37 43 45 57 34 4D 4D 3F   WW25F4Cs 7CEW4MM?
 0020  29                                                 )
STREAM DATA LEN:     143
STREAM DATA:
 0000  16 03 03 00 57 02 00 00  53 03 03 58 48 42 1C 80   ....W... S..XHB..
 0010  59 BA 9F F8 00 22 0C C2  21 F1 1A F9 0E BA 41 E7   Y....".. !.....A.
 0020  5B 34 72 BE DE EB 36 86  31 E9 82 20 E2 52 56 19   [4r...6. 1.. .RV.
 0030  8E 16 EF 0B E3 6F 64 12  10 D2 12 37 51 B2 D4 B9   .....od. ...7Q...
 0040  DC 81 53 24 18 CE 8F E6  6F 1D C6 D9 C0 2F 00 00   ..S$.... o..../..
 0050  0B FF 01 00 01 00 00 0B  00 02 01 00 14 03 03 00   ........ ........
 0060  01 01 16 03 03 00 28 00  00 00 00 00 00 00 00 92   ......(. ........
 0070  98 BE 94 F2 16 79 81 6C  70 83 58 26 DA 67 5A BF   .....y.l p.X&.gZ.
 0080  74 43 1F A9 F4 B5 8C 7A  5A 27 72 6B DD 56 A4      tC.....z Z'rk.V.
STREAM DATA LEN:     97
STREAM DATA:
 0000  17 03 03 00 5C 00 00 00  00 00 00 00 01 14 79 D1   ....\... ......y.
 0010  18 63 DC 4E FF 32 4A 30  A9 C6 49 1C 10 F5 E3 89   .c.N.2J0 ..I.....
 0020  9D 33 C8 C9 CC 9A CB 55  82 7A 49 A9 85 58 2D 3D   .3.....U .zI..X-=
 0030  E6 88 A3 5C 71 A1 A9 10  2A 8F CA BA 92 BD 31 2A   ...\q... *.....1*
 0040  17 EE E2 27 01 0D C1 BD  46 F9 11 49 B3 C1 5E 84   ...'.... F..I..^.
 0050  F4 91 12 F0 6B 02 3C 3B  C8 B0 8F 62 B1 F9 FA 32   ....k.<; ...b...2
 0060  61                                                 a



-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161207/0839b7d0/attachment-0001.sig>

More information about the Oisf-users mailing list