Alpn/v4 #11325

victorjulien · 2024-06-18T20:57:14Z

SV_BRANCH=OISF/suricata-verify#1924

#11204, rebased, formatting fixed and minimal docs added.

https://redmine.openinfosecfoundation.org/issues/7055

  "tls": {
    "sni": "cloudflare-quic.com",
    "version": "TLS 1.3",
    "client_alpns": [
      "h2",
      "http/1.1"
    ]
  }

Replaces #11198, adding tls.alpn keyword.

Example alert for rule

alert tls any any -> any any \
    (tls.subjectaltname; content:"p142-contacts.icloud.com"; tls.alpn; content:"http/1.1"; \
    sid:2;)

gives

{
  "timestamp": "2024-06-01T05:55:05.347344+0000",
  "flow_id": 373542629722761,
  "pcap_cnt": 15,
  "event_type": "alert",
  "src_ip": "17.248.236.64",
  "src_port": 443,
  "dest_ip": "10.84.1.49",
  "dest_port": 55349,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2,
    "rev": 0,
    "signature": "",
    "category": "",
    "severity": 3
  },
  "tls": {
    "subject": "C=US, ST=California, O=Apple Inc., CN=p127-contacts.icloud.com",
    "issuerdn": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US",
    "subjectaltname": [
      "p127-contacts.icloud.com",
      "p128-contacts.icloud.com",
      "p129-contacts.icloud.com",
      "p130-contacts.icloud.com",
      "p131-contacts.icloud.com",
      "p132-contacts.icloud.com",
      "p133-contacts.icloud.com",
      "p134-contacts.icloud.com",
      "p135-contacts.icloud.com",
      "p136-contacts.icloud.com",
      "p137-contacts.icloud.com",
      "p138-contacts.icloud.com",
      "p139-contacts.icloud.com",
      "p140-contacts.icloud.com",
      "p141-contacts.icloud.com",
      "p142-contacts.icloud.com"
    ],
    "serial": "4A:96:B3:D3:5F:90:E4:49:E4:D7:ED:85:D4:9E:09:43",
    "fingerprint": "30:83:82:c5:9d:c2:3b:b4:a9:a6:1a:f2:29:3d:ea:2d:84:1a:19:2e",
    "sni": "p130-contacts.icloud.com",
    "version": "TLS 1.2",
    "notbefore": "2023-10-23T11:42:34",
    "notafter": "2024-11-21T11:42:33",
    "client_alpns": [
      "h2",
      "http/1.1"
    ],
    "server_alpns": [
      "http/1.1"
    ]
  },
  "app_proto": "tls",
  "direction": "to_client",
  "flow": {
    "pkts_toserver": 8,
    "pkts_toclient": 7,
    "bytes_toserver": 1038,
    "bytes_toclient": 5400,
    "start": "2024-06-01T05:55:05.283580+0000",
    "src_ip": "10.84.1.49",
    "dest_ip": "17.248.236.64",
    "src_port": 55349,
    "dest_port": 443
  }
}

For later logging and detection.

Part of the extended logging. Logs `client_alpns` and `server_alpns` arrays in the tls object. Ticket: OISF#7055.

Ticket: OISF#7108.

codecov · 2024-06-18T21:32:21Z

Codecov Report

Attention: Patch coverage is 92.04545% with 7 lines in your changes missing coverage. Please review.

Project coverage is 82.46%. Comparing base (49ecf37) to head (fde64ce).
Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11325      +/-   ##
==========================================
- Coverage   82.47%   82.46%   -0.01%     
==========================================
  Files         934      935       +1     
  Lines      252270   252311      +41     
==========================================
+ Hits       208055   208080      +25     
- Misses      44215    44231      +16

Flag	Coverage Δ
fuzzcorpus	`60.26% <61.36%> (-0.01%)`	⬇️
livemode	`18.77% <15.90%> (+0.01%)`	⬆️
pcap	`43.73% <60.22%> (-0.04%)`	⬇️
suricata-verify	`61.29% <90.90%> (-0.02%)`	⬇️
unittests	`59.91% <48.86%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

suricata-qa · 2024-06-19T02:30:03Z

Information: QA ran without warnings.

Pipeline 21130

jasonish · 2024-06-19T07:31:03Z

doc/userguide/rules/tls-keywords.rst

+  alert tls any any -> any any (msg:"TLS ALPN test"; \
+    tls.alpn; content:"http/1.1"; sid:1;)


So this would match on client or server? But could be limited with flow:<direction>?

From detect-tls-alpn.c it looks like that indeed

yes, this is like other tls keywords

victorjulien · 2024-06-20T10:17:20Z

Merged in #11331, thanks!

victorjulien added 5 commits June 18, 2024 22:07

eve/schema: minor enip reformat

bf3a437

tls: store all ALPN records in the state

985c4a5

For later logging and detection.

eve/tls: log ALPN for client and server

d5aaca9

Part of the extended logging. Logs `client_alpns` and `server_alpns` arrays in the tls object. Ticket: OISF#7055.

eve/schema: update for alpn

481d59c

detect: add tls.alpn keyword

fde64ce

Ticket: OISF#7108.

victorjulien requested review from jufajardini and a team as code owners June 18, 2024 20:57

victorjulien mentioned this pull request Jun 18, 2024

Alpn log/v3 #11204

Closed

jasonish reviewed Jun 19, 2024

View reviewed changes

jasonish approved these changes Jun 19, 2024

View reviewed changes

victorjulien added this to the 8.0 milestone Jun 19, 2024

victorjulien mentioned this pull request Jun 20, 2024

next/489/20240620/v1 #11331

Merged

victorjulien closed this Jun 20, 2024

victorjulien deleted the alpn-log/v4 branch June 23, 2024 05:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Alpn/v4 #11325

Alpn/v4 #11325

victorjulien commented Jun 18, 2024

codecov bot commented Jun 18, 2024 •

edited

Loading

suricata-qa commented Jun 19, 2024

jasonish Jun 19, 2024

catenacyber Jun 19, 2024

victorjulien Jun 19, 2024

victorjulien commented Jun 20, 2024

		alert tls any any -> any any (msg:"TLS ALPN test"; \
		tls.alpn; content:"http/1.1"; sid:1;)

Alpn/v4 #11325

Alpn/v4 #11325

Conversation

victorjulien commented Jun 18, 2024

codecov bot commented Jun 18, 2024 • edited Loading

Codecov Report

suricata-qa commented Jun 19, 2024

jasonish Jun 19, 2024

Choose a reason for hiding this comment

catenacyber Jun 19, 2024

Choose a reason for hiding this comment

victorjulien Jun 19, 2024

Choose a reason for hiding this comment

victorjulien commented Jun 20, 2024

codecov bot commented Jun 18, 2024 •

edited

Loading