Suricata 5.0.1 and TLS 1.3 issue

Amin_Saba · September 19, 2020, 1:12pm

Hello,

I have this rule in Suricata to block a certain HTTPS website:

reject tcp any any → any any (msg:“Blocked TLS certificate for: chrome.google.com”; tls.cert_serial; content:" 31:79:87:25:0F:C0:BE:E8:08:00:00:00:00:56:05:ED"; sid:4294967271; gid:1 ;rev:1;)

The following command does result in an alert and gets blocked:

openssl s_client -connect chrome.google.com:443 -tls1_2

but not this one:

openssl s_client -connect chrome.google.com:443 -tls1_3

CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1

Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign

Server certificate
-----BEGIN CERTIFICATE-----
MIIJcDCCCFigAwIBAgIQMXmHJQ/AvugIAAAAAFYF7TANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw
EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTIwMDgyNjA4MDg0OVoXDTIwMTExODA4MDg0
OVowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAMMDCou
Z29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI4U6fi7rh/EZFO3
1np2UIurBcYucTLgPtvvHlo0Q6R0aitSOHUD8C365tqCEJJTm6AOKOphaCsMbd8i
2l8UG5CjggcHMIIHAzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUlmV7wggVA+HD+FDdj7ZzZUPfjIAw
HwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswaAYIKwYBBQUHAQEEXDBa
MCsGCCsGAQUFBzABhh9odHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMxbzFjb3JlMCsG
CCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEwgYD
VR0RBIIEuTCCBLWCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBl
bmdpbmUuZ29vZ2xlLmNvbYIJKi5iZG4uZGV2ghIqLmNsb3VkLmdvb2dsZS5jb22C
GCouY3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIYKi5kYXRhY29tcHV0ZS5nb29nbGUu
Y29tggYqLmcuY2+CDiouZ2NwLmd2dDIuY29tghEqLmdjcGNkbi5ndnQxLmNvbYIK
Ki5nZ3BodC5jboIOKi5na2VjbmFwcHMuY26CFiouZ29vZ2xlLWFuYWx5dGljcy5j
b22CCyouZ29vZ2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6CDiou
Z29vZ2xlLmNvLmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFygg8q
Lmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29tLmNv
gg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUuY29t
LnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsqLmdv
b2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5wbIIL
Ki5nb29nbGUucHSCEiouZ29vZ2xlYWRhcGlzLmNvbYIPKi5nb29nbGVhcGlzLmNu
ghEqLmdvb2dsZWNuYXBwcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESouZ29v
Z2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CEiouZ3N0
YXRpY2NuYXBwcy5jboIKKi5ndnQxLmNvbYIKKi5ndnQyLmNvbYIUKi5tZXRyaWMu
Z3N0YXRpYy5jb22CDCoudXJjaGluLmNvbYIQKi51cmwuZ29vZ2xlLmNvbYITKi53
ZWFyLmdrZWNuYXBwcy5jboIWKi55b3V0dWJlLW5vY29va2llLmNvbYINKi55b3V0
dWJlLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9uLmNvbYIRKi55b3V0dWJla2lkcy5j
b22CByoueXQuYmWCCyoueXRpbWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xl
LmNvbYILYW5kcm9pZC5jb22CG2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIc
ZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IIZ2dwaHQuY26CDGdr
ZWNuYXBwcy5jboIGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIKZ29vZ2xl
LmNvbYIPZ29vZ2xlY25hcHBzLmNughJnb29nbGVjb21tZXJjZS5jb22CGHNvdXJj
ZS5hbmRyb2lkLmdvb2dsZS5jboIKdXJjaGluLmNvbYIKd3d3Lmdvby5nbIIIeW91
dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIPeW91dHVi
ZWtpZHMuY29tggV5dC5iZTAhBgNVHSAEGjAYMAgGBmeBDAECAjAMBgorBgEEAdZ5
AgUDMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwucGtpLmdvb2cvR1RTMU8x
Y29yZS5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCyHgXMi6LNiiBOh2b5
K7mKJSBna9r6cOeySVMt74uQXgAAAXQqBvm9AAAEAwBHMEUCIFuyYsFzcB3C9NGC
w0dg+mk4dbQJtlDaLb6WbYDLbunIAiEAz9UtOWRBWO1E8jq+m0dGME2Mq2otddqS
8Bh+ZohIWg0AdgDnEvKwN34aYvuOyQxhhPHqezfLVh0RJlvz4PNL8kFUbgAAAXQq
BvnSAAAEAwBHMEUCIAtp246XVvtpiVX6BL+EZ8gOfSLC82TNNtrN1y9S0VYrAiEA
kliCqiMUqrMAn1OkfZPON3/LL8psHlY9Rxas6/Jk4IcwDQYJKoZIhvcNAQELBQAD
ggEBAC/eR0PNLQrtb208SzkO5gUXdFinM/ChEApSlFWAUopcoIhzNVXN2VFy3sKW
XFKD8soFoXJgBo7aTYAFamD+YKvM3AJnhEFHzeuvgGvs1Q1uVlq9AEfYYi9MAZN2
ELsWFcrU2bKSDl2WVgaVw6bWd/uXti9mBnwMIZGsjIQWYUACqfHKYuPgctp7qz9k
J7vQ/96gxG2jch28Dh2nagcVaXCqY9Jo7VDSRMQhyrTscwsMsoYX+s1KylcsVp0X
EA5ozm3hANRl8RFjn+QH2fvrNn53vJSjxQSMyvrseqMz+7FlgtAr5wIp+cSR2j5i
PoraKcKRu2DP1tL0W6UZN7GuuH4=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

SSL handshake has read 3831 bytes and written 323 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Sounds like in the case of TLS 1.3 the certificate is not parsed correctly.

vjulien · September 19, 2020, 7:07pm

In TLS 1.3 the certificate is encrypted, so Suricata can’t parse it or match on it.

Topic		Replies	Views
Understanding tls.sni rules Rules	4	2633	December 20, 2022
Block websites having ssl cached in browser Rules	2	855	June 13, 2023
Need help with HTTP Signatures Help community , rules	4	177	November 18, 2023
Suricata pass rule not working Rules	16	3601	April 28, 2022
How can I modify a suricata rule for complete URL not just the domain name Rules community , rules , suricata	1	1284	July 25, 2022

Suricata 5.0.1 and TLS 1.3 issue

Related Topics