Detecting https-tunneled ssh traffic

Coziac · August 13, 2020, 11:51am

Hello Suricata community,

I am trying to write a rule that detects ssh traffic that is tunneled in https traffic with the program stunnel. I’ve found out that the datalength that is send from the ssh-client to the ssh-server is always the same in every transmitted https-packet, so I will count the occurrences of https packets within a certain time-window having the certain datalength using the dsize attribute.

My problem is that Suricata does not recognize this tls traffic at all. For testing purposes I’ve written the generic rule:

alert tls any any -> any any (“msg: tls traffic detected”; sid:10000011;)

Connections to public https-capable websites are being detected. But the tunneled ssh traffic is not recognized. I’ve checked the wireshark output of the ssh-server and the ssh communication is indeed tunneled in https-packets but no alerts are raised. Does anybody know why this rule fails in my situation? I use suricata in pfsense.

Thank you!

Coziac · August 13, 2020, 12:35pm

Now it works. I don’t know what was the issue. But now I have the problem that the dsize attribute does not match the packets. I tried to use length value that wireshark shows me.

Andreas_Herz · August 20, 2020, 9:53pm

Do you have a pcap for that?
You could try to run it on a dedicated system with -r to exclude any issue with the pfsense configuration.

shyang · August 5, 2021, 4:07am

I have the same issue of ‘dsize’.

ssh dsize issue

from suricata guide,

Don’t Cross The Streams

Topic		Replies	Views
Rules for SSH under root Rules rules , suricata	2	212	April 11, 2024
Testing ssh related rules Rules rules	1	82	April 4, 2024
Bypassing encrypted traffic does not seem to work Help	8	1545	December 10, 2021
Outbound: Port Scanning & Brute Force detection Help	5	3536	March 22, 2022
Reverse Shell detection Rules	20	4054	August 27, 2021

Detecting https-tunneled ssh traffic

Related Topics