[Oisf-users] Monitoring DNS over TLS: SURICATA TLS on unusual port

Duarte Silva duarte.silva at serializing.me
Sun Jan 5 19:39:10 UTC 2020


Hi,

If I remember correctly, in the suricata.yaml file, you should have a
section called "port-groups". There you can define your variable with the
ports you want, for example:

port-groups:
    TLS_PORTS: "[443,465,587,853]"
    NOT_TLS_PORTS: "!TLS_PORTS"
   (...)

Then in the rule change the port part from "![443,465,587]" to
"$NOT_TLS_PORTS".

Cheers,
Duarte

Carlos Lopez <clopmz at outlook.com> escreveu no dia domingo, 5/01/2020 à(s)
17:53:

> I have found the problem: it is the rule:
>
>
>
> alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual
> port"; flow:to_server; app-layer-protocol:tls; threshold:type limit, track
> by_src, seconds 60, count 1; sid:2610003; rev:1;)
>
>
>
> As you can see, TLS ports are hardcoded … Is it possible to change as a
> variable?
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
>
>
> *From: *Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org>
> on behalf of Carlos Lopez <clopmz at outlook.com>
> *Date: *Sunday, 5 January 2020 at 14:23
> *To: *Konstantin Klinger <konstantinklinger at mailbox.org>, "
> oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> *Subject: *Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on
> unusual port
>
>
>
> Uhmmm … strange. Ok, I will check it to see If I have done some mistake
> with my suricata’s config.
>
>
>
> Many thanks for your help Konstantin.
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
>
>
> *From: *Konstantin Klinger <konstantinklinger at mailbox.org>
> *Date: *Sunday, 5 January 2020 at 14:19
> *To: *Carlos Lopez <clopmz at outlook.com>, "
> oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> *Subject: *Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on
> unusual port
>
>
>
> Works for me as expected with Suricata 5.0. Suricata can parse TLS on that
> port as expected and parses it also. Eve json output and alert generation
> are working.
>
>
>
> suricata.yaml:
>
>
>
> tls:
> enabled: yes
> detection-ports:
> dp: 443, 853
>
>
>
> fast.log:
>
>
>
> 01/05/2020-13:47:29.304261 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.304418 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.304421 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.304422 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.311176 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.331169 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.331457 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.331842 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.351653 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.419592 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.419935 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.420171 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.439981 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.440178 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
> 01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 172.22.54.6:16358 -> 1.1.1.1:853
> 01/05/2020-13:47:29.440363 [**] [1:1:1] FOO TLS [**] [Classification:
> (null)] [Priority: 3] {TCP} 1.1.1.1:853 -> 172.22.54.6:16358
>
>
>
> Rule:
>
> alert tls any any -> any any (msg:"FOO TLS"; sid:1; rev:1;)
>
>
>
> Example eve json output entry:
>
>
>
> {
> "timestamp": "2020-01-05T13:47:29.304422+0100",
> "flow_id": 84670362485565,
> "pcap_cnt": 8,
> "event_type": "tls",
> "src_ip": "172.22.54.6",
> "src_port": 16358,
> "dest_ip": "1.1.1.1",
> "dest_port": 853,
> "proto": "TCP",
> "tls": {
> "subject": "C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=
> cloudflare-dns.com",
> "issuerdn": "C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA",
> "serial": "01:CC:E3:18:DE:9F:56:7F:AB:2B:24:90:1F:AD:A7:1D",
> "fingerprint":
> "66:56:84:01:72:b4:fb:bc:d6:d0:a4:a1:03:49:1e:93:00:4d:19:5f",
> "version": "TLS 1.2",
> "notbefore": "2019-01-28T00:00:00",
> "notafter": "2021-02-01T12:00:00",
> "ja3": {},
> "ja3s": {}
> }
> }
>
> On January 5, 2020 at 1:50 PM Carlos Lopez <clopmz at outlook.com> wrote:
>
> Hi Konstatin,
>
>
>
> Pcap attached. I am using default config from Suricata install from source
> … The only option I have changed is dp …
>
>
>
> Many thanks for your help.
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
>
>
> *From: *Konstantin Klinger <konstantinklinger at mailbox.org>
> *Date: *Sunday, 5 January 2020 at 13:35
> *To: *Carlos Lopez <clopmz at outlook.com>, "
> oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> *Subject: *Re: [Oisf-users] Monitoring DNS over TLS: SURICATA TLS on
> unusual port
>
>
>
> Hi Carlos,
>
>
>
> could you please share your suricata.yaml and additional a sample pcap of
> your dns over tls traffic via port 853 if it is possible? If you would not
> like to share it publicly, but with with, I've attached my PGP key.
>
>
>
> Thanks,
>
>
>
> Konstantin
>
> On January 5, 2020 at 1:08 PM Carlos Lopez <clopmz at outlook.com> wrote:
>
> Hi all,
>
>
>
> I have a DNS cache server based in unbound redirecting all external
> queries to CloudFlare’s DNS servers via DNS over TLS and as I indicated in
> the subject, a lot of alerts are triggered as  “SURICATA TLS on unusual
> port”.
>
>
>
> I have tried to inform to our Suricata sensors via “app-layer,tls,dp” port
> 853 is a valid TLS port without luck … I have checked any TLS variable for
> Suricata without result.
>
>
>
> Then how to inform Suricata port 853 as a valid port TLS?
>
>
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200105/96ccb316/attachment-0001.html>


More information about the Oisf-users mailing list