Suricata rule to alert on older versions of TLS

Rules
,
1

Hi,
I’m trying to write Suricata rule that could alert on older versions of TLS. I’d like to detect whether TLS older than 1.2 is used for any egress traffic from my network to the Internet. I’m using AWS Network Firewall with stateful Suricata rules based on strict ordering type. I wrote below rules and put them on top of the rules stack to make sure they’re processed first:

alert tls any any -> $EXTERNAL_NET any (tls.version:1.0; msg:"Match on negotiated TLS/SSL version - 1.0 detected"; sid:1; rev:1;)
alert tls any any -> $EXTERNAL_NET any (tls.version:1.1; msg:"Match on negotiated TLS/SSL version - 1.1 detected"; sid:2; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.0; msg:"Match version of SSL/TLS record - 1.0 detected"; sid:3; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.1; msg:"Match version of SSL/TLS record - 1.1 detected"; sid:4; rev:1;)

Then I was trying to generate some traffic:

curl  -vvv --tlsv1.0 --tls-max 1.1 https://<some_example_urls_here>

The log doesn’t show any entries so it looks like there are no match for these rules.

I’m new to Suricata so I probably miss something important in above rules. Could anyone help me with this issue? Thank you.

2

What version are you running?
How are you running Suricata?
How does the config look like?

Do you see other alerts? Do you see flow events for those connections?

3
  1. Docs say that AWS Network Firewall supports Suricata 6.0.2: Working with stateful rule groups in AWS Network Firewall - AWS Network Firewall.
  2. AWS NF with Suricata is deployed into a separate network between the network that has my workloads and the Internet. I have some pass rules to allow needed destination urls and the default drop established setting at the end.
  3. I can see flow logs for the traffic that goes to destination IPs. Pass rule works correctly. I have also created a simple alert rule that logs the egress traffic for the domain that resolves to the same destination IP.

Could you confirm if the rules mentioned earlier for TLS are correct and make sense? I also created a ticket for AWS support but wanted to make sure that the rules are correct.

4

Could anyone help me with confirmation if these rules make sense and can detect egress traffic for TLS versions older than 1.2, please?

alert tls any any -> $EXTERNAL_NET any (tls.version:1.0; msg:"Match on negotiated TLS/SSL version - 1.0 detected"; sid:1; rev:1;)
alert tls any any -> $EXTERNAL_NET any (tls.version:1.1; msg:"Match on negotiated TLS/SSL version - 1.1 detected"; sid:2; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.0; msg:"Match version of SSL/TLS record - 1.0 detected"; sid:3; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.1; msg:"Match version of SSL/TLS record - 1.1 detected"; sid:4; rev:1;)```