Suricata and TLS Termination: how to log the original src and dst

shanyp · September 8, 2020, 6:14am

Hey Team,

I have the following setup that allows IDS for SSL traffic:

internal->firewall->tls_termination->suricata->firewall->internet

Suricata create the alerts with src:<tls_termination> dst: , while the desired outcome is ofcourse: src: dst:

I have enabled adding http headers within the tls_termination to send the internal:port internet:port information.

I have initially thought of using the xff feature in eve logging, but it allows only one ip address.

My question is: can I extract and add the orig src and dst information to be part of the alert output ?

Best regards,

Shany

Andreas_Herz · September 8, 2020, 6:50am

Can you forge a test pcap so we can look into it?

shanyp · September 10, 2020, 8:53am

Sure,

the pcpap is here:
tcp-dump-balmas.pcap (54.5 KB)

note that
127.2.0.1 is the tls_termination service
127.3.0.1 is the proxy that resend the traffic as https traffic

Andreas_Herz · September 12, 2020, 7:26pm

Well if you have Suricata positioned after the tls termination happened and the connection is just seen between those two 127.x.y.z IPs without the initial SRC in the package, I see no way how Suricata would magically know the initial SRC IP.

Do you see the initial SRC IP within the pcap?

shanyp · September 13, 2020, 12:10pm

I do send the original src and dst IP as part of the headers sent by the TLS termination. Currently XFF is limited to extract only one IP address. Is there a way to extract the additional headers that are sent for the src and dst and have them as part of the “alert” output in eve.json ?
This way I can recreate the original 5 tuple together with the signature output

Thoughts ?

Shany

Andreas_Herz · September 15, 2020, 8:22pm

Now I see it as azfw-forwarded is that what you refer to?

shanyp · September 16, 2020, 6:25am

Yes I can provide a header with the “original” src->dst but I want to be able to have Suricata output it as part of the alert payload, is that possible ?

Andreas_Herz · September 19, 2020, 8:26pm

This seem to be azure-firewall (azfw) so I doubt that it’s currently supported. I didn’t find any RFC for that. So this might be something that fits as a feature request although this seems to be vendor/Azure specific.

ish · September 21, 2020, 11:32pm

@shanyp I’m just curious, is this azfw-forwarded a header that was constructed for you? Or did you craft it via configuration? If this is something done by Azure, I’d be curious about the Azure products in use. Thanks.

shanyp · September 22, 2020, 4:49am

I have crafted it my self :-).
Is there a way to use it in fast/eve log as an extra data or replacement for the Src/dst pair?

Topic		Replies	Views
"pcap_cnt" is not accurate on TCP streams Help suricata	2	331	January 26, 2023
Suricata does not create alerts following attack tests Help suricata	4	872	November 9, 2022
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	428	August 10, 2023
Suricata alerts by src_IP Tips and Tricks	0	454	June 6, 2022
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	650	June 8, 2023

Suricata and TLS Termination: how to log the original src and dst

Related Topics