Suricata rule to alert on older versions of TLS

Rules
,
1

Hi,
I’m trying to write Suricata rule that could alert on older versions of TLS. I’d like to detect whether TLS older than 1.2 is used for any egress traffic from my network to the Internet. I’m using AWS Network Firewall with stateful Suricata rules based on strict ordering type. I wrote below rules and put them on top of the rules stack to make sure they’re processed first:

alert tls any any -> $EXTERNAL_NET any (tls.version:1.0; msg:"Match on negotiated TLS/SSL version - 1.0 detected"; sid:1; rev:1;)
alert tls any any -> $EXTERNAL_NET any (tls.version:1.1; msg:"Match on negotiated TLS/SSL version - 1.1 detected"; sid:2; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.0; msg:"Match version of SSL/TLS record - 1.0 detected"; sid:3; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.1; msg:"Match version of SSL/TLS record - 1.1 detected"; sid:4; rev:1;)

Then I was trying to generate some traffic:

curl  -vvv --tlsv1.0 --tls-max 1.1 https://<some_example_urls_here>

The log doesn’t show any entries so it looks like there are no match for these rules.

I’m new to Suricata so I probably miss something important in above rules. Could anyone help me with this issue? Thank you.

2

What version are you running?
How are you running Suricata?
How does the config look like?

Do you see other alerts? Do you see flow events for those connections?

3
  1. Docs say that AWS Network Firewall supports Suricata 6.0.2: Working with stateful rule groups in AWS Network Firewall - AWS Network Firewall.
  2. AWS NF with Suricata is deployed into a separate network between the network that has my workloads and the Internet. I have some pass rules to allow needed destination urls and the default drop established setting at the end.
  3. I can see flow logs for the traffic that goes to destination IPs. Pass rule works correctly. I have also created a simple alert rule that logs the egress traffic for the domain that resolves to the same destination IP.

Could you confirm if the rules mentioned earlier for TLS are correct and make sense? I also created a ticket for AWS support but wanted to make sure that the rules are correct.

4

Could anyone help me with confirmation if these rules make sense and can detect egress traffic for TLS versions older than 1.2, please?

alert tls any any -> $EXTERNAL_NET any (tls.version:1.0; msg:"Match on negotiated TLS/SSL version - 1.0 detected"; sid:1; rev:1;)
alert tls any any -> $EXTERNAL_NET any (tls.version:1.1; msg:"Match on negotiated TLS/SSL version - 1.1 detected"; sid:2; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.0; msg:"Match version of SSL/TLS record - 1.0 detected"; sid:3; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.1; msg:"Match version of SSL/TLS record - 1.1 detected"; sid:4; rev:1;)```
5

Suricata can detect TLS versions, but you need to use the correct keywords. Instead of trying to match with port + payload, use the tls.version keyword in your rules. For example:

alert tls any any -> any any (msg:"TLS 1.0 or 1.1 detected"; tls.version:<1.2; sid:10001; rev:1;)

This will trigger on any TLS handshake using a version lower than 1.2. Also, make sure Suricata has TLS logging enabled (tls section in suricata.yaml) and that your rules are loaded in AWS Network Firewall. Then your curl --tlsv1.0 test should generate an alert. Hope it helps!