Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add test for extra tls alert #2080

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add test for extra tls alert #2080

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions tests/tls-extra-alert-engine-analysis/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Test Description

engine analysis complementary test for tls-extra-alert.

## Related issues

None so far. State: Trying to establish what's the issue.
5 changes: 5 additions & 0 deletions tests/tls-extra-alert-engine-analysis/test.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
226 changes: 226 additions & 0 deletions tests/tls-extra-alert-engine-analysis/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,226 @@
args:
- --simulate-ips
- --engine-analysis

pcap: false

checks:
- filter:
filename: rules.json
count: 1
match:
flags:
- src_any
- dst_any
- sp_any
- noalert
- need_packet
- toserver
id: 9901001
lists:
packet:
matches:
- name: tcp.flags
postmatch:
matches:
- flowbits:
cmd: set
names:
- tls_tracker
name: flowbits
pkt_engines:
- is_mpm: false
name: packet
requirements:
- tcp_flags_init_deinit
- real_pkt
type: pkt

- filter:
filename: rules.json
count: 1
match:
flags:
- src_any
- dst_any
- sp_any
- need_packet
- need_stream
- need_flowvar
- toserver
- toclient
- prefilter
id: 9901031
lists:
packet:
matches:
- flowbits:
cmd: isset
names:
- tls_tracker
name: flowbits
payload:
matches:
- content:
depth: 6
ends_with: false
fast_pattern: false
is_mpm: true
length: 6
negated: false
no_double_inspect: false
nocase: false
pattern: '|15 03 01 00 02 02|'
relative_next: false
starts_with: true
name: content
postmatch:
matches:
- flowbits:
cmd: set
names:
- tls_error
name: flowbits
mpm:
buffer: payload
depth: 6
ends_with: false
fast_pattern: false
is_mpm: true
length: 6
negated: false
no_double_inspect: false
nocase: false
pattern: '|15 03 01 00 02 02|'
relative_next: false
starts_with: true
pkt_engines:
- is_mpm: true
name: payload
- is_mpm: false
name: packet
requirements:
- payload
- flow
type: pkt_stream

- filter:
filename: rules.json
count: 1
match:
flags:
- src_any
- dst_any
- dp_any
- need_packet
- need_stream
- need_flowvar
- toserver
- toclient
- prefilter
id: 9901032
lists:
packet:
matches:
- flowbits:
cmd: isset
names:
- tls_tracker
name: flowbits
payload:
matches:
- content:
depth: 6
ends_with: false
fast_pattern: false
is_mpm: true
length: 6
negated: false
no_double_inspect: false
nocase: false
pattern: '|15 03 01 00 02 02|'
relative_next: false
starts_with: true
name: content
postmatch:
matches:
- flowbits:
cmd: set
names:
- tls_error
name: flowbits
mpm:
buffer: payload
depth: 6
ends_with: false
fast_pattern: false
is_mpm: true
length: 6
negated: false
no_double_inspect: false
nocase: false
pattern: '|15 03 01 00 02 02|'
relative_next: false
starts_with: true
pkt_engines:
- is_mpm: true
name: payload
- is_mpm: false
name: packet
requirements:
- payload
- flow
type: pkt_stream

# Following is the signature of interest
- filter:
filename: rules.json
count: 1
match:
flags:
- src_any
- dst_any
- sp_any
- need_flowvar
- toserver
id: 9901033
lists:
packet:
matches:
- flowbits:
cmd: isset
names:
- tls_error
name: flowbits
pkt_engines:
- is_mpm: false
name: packet
requirements:
- flow
type: pkt

- filter:
filename: rules.json
count: 1
match:
flags:
- src_any
- dst_any
- dp_any
- need_flowvar
- toclient
id: 9901034
lists:
packet:
matches:
- flowbits:
cmd: isset
names:
- tls_error
name: flowbits
pkt_engines:
- is_mpm: false
name: packet
requirements:
- flow
type: pkt
12 changes: 12 additions & 0 deletions tests/tls-extra-alert/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Test Description

This test shows that Suricata generates an additional alert for TLS
for the given PCAP which shouldn't be there.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For which rule ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 9901033 as per test.yaml: alert.signature_id: 9901033

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At which packet does it happen ? The pseudo flush ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or packet 8 and 9 ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At which packet does it happen ? The pseudo flush ?

The extra alert happens at pseudo flush. Yes. The test filter that indicates that i test.yaml is:

- filter:
    count: 0
    match:
      event_type: alert
      not-has-key: pcap_cnt

Note that the event generated w the pseudo pkt misses pcap_cnt key and also has pkt_src: stream (flow timeout) (so subtest 1 in the test also helps making sure of that)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thoughts are that it should not fire as-is. Its somewhat non-sensical, at least its being logged relative to a packet (start of flow) where it should not be. Its only because of information found in the future, and ends up in the pseudo-packet that we end up alerting. Or at least its confusing.

As we're only pushing this pseudo-packet through to wrap up transactions, my thought was to skip detection on non-transaction data, in particular packet rules per the discussion here: OISF/suricata#11862. But maybe this is expected behavior and there is no issue. I think we're still discussing the behavior and if this is correct or not.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

at least its being logged relative to a packet (start of flow)

How so with pkt_src: stream (flow timeout) ?

information found in the future

Do we time travel ?

As we're only pushing this pseudo-packet through to wrap up transactions,

Beware there are timeouts pseudo packets, but other one likes HTTP1->HTTP2 upgrade...
IIRC, there was one ticket where we needed the pseudo packet to match on the content of the last SSH packet before going encrypted cf https://redmine.openinfosecfoundation.org/issues/6578 (and one similar for frames)

Copy link
Member

@jasonish jasonish Oct 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we time travel ?

Apparently we do :)

In the log we have an alert at 2024-09-09T12:15:56.542526-0600, followed by an alert from 2024-09-09T12:15:55.863332-0600.

That second timestamp matches the first packet in the pcap, however hits on the rule:

alert tcp any any -> $EXTERNAL_NET 443 (flow: to_server; flowbits:isset, tls_error; \
    sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )

and is logged with flowbits, even detected as tls, however we don't know any of that at 2024-09-09T12:15:55.863332-0600, unless we time travel to the future :)

Kidding aside, that's why this alert looks so out of place.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How so with pkt_src: stream (flow timeout) ?

Flow timeout also seems odd, as it didn't timeout. Its cleanly closed.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, there is a bug in the timestamp of timeout packets, right ?

Flow timeout also seems odd, as it didn't timeout. It's cleanly closed.

I think we just time out cleanly closed flows after sometime checking there is no session reuse...


## PCAP

Internal.

## Related issues

None so far. State: Trying to establish what's the issue.
Binary file added tests/tls-extra-alert/input.pcap
View file
Open in desktop
Binary file not shown.
5 changes: 5 additions & 0 deletions tests/tls-extra-alert/test.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
16 changes: 16 additions & 0 deletions tests/tls-extra-alert/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
args:
- -k none
- --simulate-ips

checks:
- filter:
count: 2
match:
event_type: alert
alert.signature_id: 9901033
pkt_src: wire/pcap
- filter:
count: 0
match:
event_type: alert
not-has-key: pcap_cnt
Loading