No alerts are raised for TLS client certificate expiry with suricata 7.0.8

nethravathi.b.r · February 17, 2025, 4:59pm

Hi,

Test Scenario of the Issue Occurrence - Suricata alert for client certificate expiry is not working when i send a expired client certificate using openssl.

For below two scenarios there is no alerts in /var/log/suricata/fast.log

alert tls any any → any any (msg:“SURICATA TLS certificate invalid validity”; flow:established; app-layer-event:tls.certificate_invalid_validity; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230030; rev:1;)

alert tls any any → any any (msg:“SURICATA TLS invalid certificate”; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;)

Expected alert message in /var/log/suricata/fast.log

But i can only see the event in eve.json but there is no alert message saying client certificate is expired in /var/log/suricata/fast.log

on Server::
verify error:num=10:certificate has expired

notAfter=Feb 17 10:53:34 2023 GMT

SSL3 alert write:fatal:certificate expired

SSL_accept:error in error

009EB06F717F0000:error:0A000086:SSL routines:tls_process_client_certificate:certificate verify failed:ssl/statem/statem_srvr.c:3738:

On Client::
verify return:1

SSL_connect:SSLv3/TLS read server certificate

SSL_connect:SSLv3/TLS read server key exchange

SSL_connect:SSLv3/TLS read server certificate request

SSL_connect:SSLv3/TLS read server done

SSL_connect:SSLv3/TLS write client certificate

SSL_connect:SSLv3/TLS write client key exchange

SSL_connect:SSLv3/TLS write certificate verify

SSL_connect:SSLv3/TLS write change cipher spec

SSL_connect:SSLv3/TLS write finished

SSL3 alert read:fatal:certificate expired

SSL_connect:error in error

80EB4D8D7B7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1600:SSL alert number 45

{

“timestamp”****: “2025-02-17T23:27:49.983649-0500”,

“flow_id”****: 1664147589768513**,**

“in_iface”****: “eth0”,

“event_type”****: “tls”,

“src_ip”****: “”,

“src_port”****: 38172**,**

“dest_ip”****: “”,

“dest_port”****: 443**,**

“proto”****: “TCP”,

“pkt_src”****: “wire/pcap”,

“tls”****: {

“serial”****: “2F:72:EA:4E:5A:F8:70:BF:21:B7:E6:35:8F:D5:BE:9D:B6:8F:B0:D2”,

“fingerprint”****: “3b:28:44:a4:64:97:29:84:df:0a:b8:ed:b9:d0:34:ac:f7:34:59:bb”,

“version”****: “TLS 1.2”,

“notbefore”****: “2025-02-17T07:04:24”,

“notafter”****: “2026-02-17T07:04:24”,

“client”****: {

“fingerprint”****: “fe:07:f8:85:44:6c:02:7d:74:38:5d:f1:a8:bd:80:07:c8:6b:80:6a”,

“serial”****: “2F:72:EA:4E:5A:F8:70:BF:21:B7:E6:35:8F:D5:BE:9D:B6:8F:B0:D4”,

“notbefore”****: “2022-02-17T10:53:34”,

“notafter”****: “2023-02-17T10:53:34”

}

Philippe_Antoine · February 25, 2025, 7:46am

Did you try the keyword tls_cert_expired ? 8.16. SSL/TLS Keywords — Suricata 8.0.0-dev documentation

Topic		Replies	Views
Suricata rule to alert on older versions of TLS Rules aws , rules	3	829	March 17, 2023
HTTP, TLS alerts are not generating in suricata 7.0.7 Help rules , suricata , events	3	53	January 21, 2025
Inconsistency in Alert Triggers Between Suricata 7.0.4 and 7.0.5 Help rules , suricata	7	81	September 29, 2024
Suricata does not create alerts following attack tests Help suricata	4	1111	November 9, 2022
SURICATA TLS certificate invalid der Rules	5	2091	August 25, 2022

No alerts are raised for TLS client certificate expiry with suricata 7.0.8

Related topics