[Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port
Carlos Lopez
clopmz at outlook.com
Sun Jan 5 16:52:53 UTC 2020
I have found the problem: it is the rule:
alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual port"; flow:to_server; app-layer-protocol:tls; threshold:type limit, track by_src, seconds 60, count 1; sid:2610003; rev:1;)
As you can see, TLS ports are hardcoded … Is it possible to change as a variable?
--
Regards,
C. L. Martinez
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Carlos Lopez <clopmz at outlook.com>
Date: Sunday, 5 January 2020 at 14:23
To: Konstantin Klinger <konstantinklinger at mailbox.org>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port
Uhmmm … strange. Ok, I will check it to see If I have done some mistake with my suricata’s config.
Many thanks for your help Konstantin.
--
Regards,
C. L. Martinez
From: Konstantin Klinger <konstantinklinger at mailbox.org>
Date: Sunday, 5 January 2020 at 14:19
To: Carlos Lopez <clopmz at outlook.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port
Works for me as expected with Suricata 5.0. Suricata can parse TLS on that port as expected and parses it also. Eve json output and alert generation are working.
suricata.yaml:
tls:
enabled: yes
detection-ports:
dp: 443, 853
fast.log:
01/05/2020-13:47:29.304261 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.304418 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.304421 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.304422 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.311176 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.331169 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.331457 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.331842 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.351653 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.419592 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.419935 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.420171 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.439981 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.440178 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification: (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
Rule:
alert tls any any -> any any (msg:"FOO TLS"; sid:1; rev:1;)
Example eve json output entry:
{
"timestamp": "2020-01-05T13:47:29.304422+0100",
"flow_id": 84670362485565,
"pcap_cnt": 8,
"event_type": "tls",
"src_ip": "172.22.54.6",
"src_port": 16358,
"dest_ip": "1.1.1.1",
"dest_port": 853,
"proto": "TCP",
"tls": {
"subject": "C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com",
"issuerdn": "C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA",
"serial": "01:CC:E3:18:DE:9F:56:7F:AB:2B:24:90:1F:AD:A7:1D",
"fingerprint": "66:56:84:01:72:b4:fb:bc:d6:d0:a4:a1:03:49:1e:93:00:4d:19:5f",
"version": "TLS 1.2",
"notbefore": "2019-01-28T00:00:00",
"notafter": "2021-02-01T12:00:00",
"ja3": {},
"ja3s": {}
}
}
On January 5, 2020 at 1:50 PM Carlos Lopez <clopmz at outlook.com> wrote:
Hi Konstatin,
Pcap attached. I am using default config from Suricata install from source … The only option I have changed is dp …
Many thanks for your help.
--
Regards,
C. L. Martinez
From: Konstantin Klinger <konstantinklinger at mailbox.org>
Date: Sunday, 5 January 2020 at 13:35
To: Carlos Lopez <clopmz at outlook.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port
Hi Carlos,
could you please share your suricata.yaml and additional a sample pcap of your dns over tls traffic via port 853 if it is possible? If you would not like to share it publicly, but with with, I've attached my PGP key.
Thanks,
Konstantin
On January 5, 2020 at 1:08 PM Carlos Lopez <clopmz at outlook.com> wrote:
Hi all,
I have a DNS cache server based in unbound redirecting all external queries to CloudFlare’s DNS servers via DNS over TLS and as I indicated in the subject, a lot of alerts are triggered as “SURICATA TLS on unusual port”.
I have tried to inform to our Suricata sensors via “app-layer,tls,dp” port 853 is a valid TLS port without luck … I have checked any TLS variable for Suricata without result.
Then how to inform Suricata port 853 as a valid port TLS?
--
Regards,
C. L. Martinez
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200105/1261d8b5/attachment-0001.html>
More information about the Oisf-users
mailing list