Suricata and TLS Termination: how to log the original src and dst

shanyp · September 8, 2020, 6:14am

Hey Team,

I have the following setup that allows IDS for SSL traffic:

internal->firewall->tls_termination->suricata->firewall->internet

Suricata create the alerts with src:<tls_termination> dst: , while the desired outcome is ofcourse: src: dst:

I have enabled adding http headers within the tls_termination to send the internal:port internet:port information.

I have initially thought of using the xff feature in eve logging, but it allows only one ip address.

My question is: can I extract and add the orig src and dst information to be part of the alert output ?

Best regards,

Shany

Andreas_Herz · September 8, 2020, 6:50am

Can you forge a test pcap so we can look into it?

shanyp · September 10, 2020, 8:53am

Sure,

the pcpap is here:
tcp-dump-balmas.pcap (54.5 KB)

note that
127.2.0.1 is the tls_termination service
127.3.0.1 is the proxy that resend the traffic as https traffic

Andreas_Herz · September 12, 2020, 7:26pm

Well if you have Suricata positioned after the tls termination happened and the connection is just seen between those two 127.x.y.z IPs without the initial SRC in the package, I see no way how Suricata would magically know the initial SRC IP.

Do you see the initial SRC IP within the pcap?

shanyp · September 13, 2020, 12:10pm

I do send the original src and dst IP as part of the headers sent by the TLS termination. Currently XFF is limited to extract only one IP address. Is there a way to extract the additional headers that are sent for the src and dst and have them as part of the “alert” output in eve.json ?
This way I can recreate the original 5 tuple together with the signature output

Thoughts ?

Shany

Andreas_Herz · September 15, 2020, 8:22pm

Now I see it as azfw-forwarded is that what you refer to?

shanyp · September 16, 2020, 6:25am

Yes I can provide a header with the “original” src->dst but I want to be able to have Suricata output it as part of the alert payload, is that possible ?

Andreas_Herz · September 19, 2020, 8:26pm

This seem to be azure-firewall (azfw) so I doubt that it’s currently supported. I didn’t find any RFC for that. So this might be something that fits as a feature request although this seems to be vendor/Azure specific.

ish · September 21, 2020, 11:32pm

@shanyp I’m just curious, is this azfw-forwarded a header that was constructed for you? Or did you craft it via configuration? If this is something done by Azure, I’d be curious about the Azure products in use. Thanks.

shanyp · September 22, 2020, 4:49am

I have crafted it my self :-).
Is there a way to use it in fast/eve log as an extra data or replacement for the Src/dst pair?

Topic		Replies	Views
Does the src_ip in an alert event always reflect the true source? Help	3	27	December 10, 2024
Only Logging DNS traffic; tcpdump shows other traffic available Help	12	1151	March 25, 2022
Suricata cannot parse tls/http traffice Help	10	355	September 19, 2024
Unexpected TCP session tracking Help suricata	18	129	September 2, 2024
Suricata behind proxy server Help ips	8	4262	June 17, 2024

Suricata and TLS Termination: how to log the original src and dst

Related topics