haoranli
June 14, 2024, 3:05am
1
Hi, all. I want to detect frp tls connection, so I found ssl_state in suricata docs. but frp use TLS 1.3, so I changed to “tls_state”, it looks unsupported. So will suricata support “tls_state” ?
error:
Error: detect-parse: unknown rule keyword 'tls_state'.
rules:
alert tcp-pkt any any -> any any (msg:"FRP TLS hello"; flow: established, to_server; content: "|17|"; dsize: 1; flowbits: set, frp_ssl; flowbits: noalert; classtype: bad-unknown; sid: 100003; rev: 1;)
alert tls any any -> any any (msg:"FRP TLS connection"; flow: established; tls_state: client_hello; flowbits: isset, frp_ssl; classtype: bad-unknown; sid: 100004; rev: 1;)
vjulien
June 15, 2024, 6:39pm
2
vjulien
June 16, 2024, 8:30pm
3
haoranli
June 20, 2024, 6:56am
4
Sorry, I don’t understand it. but I changed my rule file, this rule will be alert when an ip address try to connect a frp server with TLS.
alert tcp-pkt any any -> any any (msg:"FRP TLS hello"; flow: established, to_server; content: "|17|"; dsize: 1; flowbits: set, frp_ssl; classtype: bad-unknown; sid: 100003; rev: 1;)
alert tcp-pkt any any -> any any (msg:"FRP TLS connection"; flow: established; content: "|16 03 01|"; depth: 3; content: "|01|"; offset: 5; flowbits: isset, frp_ssl; classtype: bad-unknown; sid: 100004; rev: 1;)