TLS rule alert on CN name not picking up

Hello,

I’m working on creating some info alerts for internal use, to alert on TLS when the CN matches. I have created the following rule, which is valid (rule is loaded), however fails to detect (despite confirming TLS event traffic is properly picked up).

Am I missing something here? Running Suricata 5.0.6 on Debian. Other custom TCP and IP rules work fine.

alert tls [1.1.1.1/23,2.2.2.2] any -> 192.168.1.1 any (msg:"Company Info - TLS Traffic from A to B"; tls.cert_subject; content:"CN=the.company.com"; isdataat:!1,relative; sid:900456; rev:1;)

Hi Jeremy.

Try to upgrade your version - tls.cert_subject is working fine with Suricata 6.0.2.

Test rule:

alert tls any any -> any any (msg: "TLS CN detected!"; tls.cert_subject; content:"CN=nytimes.com"; isdataat:!1,relative;)
1 Like

Thank you for testing, I’m running scirius probes, so not really an option to upgrade :slight_smile: Uses Debian, and stuck in 5.x land with the issues preventing 6.x working on Debian unfortunately.

I tried the legacy keyword as well, with no luck either. I’ll probably have to wait for the probes to get updated to 6.x.

1 Like

Hey, just want to say that the keyword is working on 5.0.6 as expected. Have you tried making your test as simple as possible? Have you checked the Suricata TLS logs to ensure that the request is logged as expected.
I recommend the new startswith and endswith keywords as well :slight_smile:

$ cat fast.log 
06/18/2021-20:31:51.173358  [**] [1:1:0] test [**] [Classification: (null)] [Priority: 3] {TCP} 151.101.237.164:443 -> 192.168.1.118:60224
$ cat ../test.rules 
alert tls any any <> any any (msg:"test"; tls.cert_subject; content:"nytimes.com"; endswith; sid:1;)
$ suricata -V
This is Suricata version 5.0.6 RELEASE

Hello,

Thank you, it does pick up as a TLS event. The only atypical thing about the traffic is that it is FTPS, not HTTPS - however suricata is picking up the events as TLS (including CN being parsed out properly), so I wouldn’t think that would matter?

I’ll see where it goes with opening up direction and also setting source net to any. Originally I had the rule set to a destination port range, which didn’t seem to make a difference. I’ll follow up with the findings.

I would like to add that any any worked fine. Apparently I had the source and destination order mixed up! Thanks again everyone for your help.

2 Likes