Tls.store Why tls certificate file save failed？

Marco-su · August 31, 2023, 9:23am

my rules:
alert tls any any -> any any (msg:"1111111111111111"; tls.cert_subject; content:"*"; tls.store; sid:8000000;) alert tls any any -> any any (msg:"2222222222222222"; tls.cert_subject; content:"*"; tls.store; sid:8000001;) alert tls any any -> any any (msg:"No Alert TLS Store"; tls.subject:"CN="; tls.store; noalert; classtype:policy-violation; sid:800002; rev:3;)

my config:

  # a line based log of TLS handshake parameters (no alerts)
  - tls-log:
      enabled: yes  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      append: yes
      #extended: yes     # Log extended information like fingerprint
      #custom: yes       # enabled the custom logging format (defined by customformat)
      #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      # output TLS transaction where the session is resumed using a
      # session id
      #session-resumption: no

  # output module to store certificates chain to disk
  - tls-store:
      enabled: yes
      certs-log-dir: certs # directory to store the certificates files

my pcap file:
tls.store.pcapng (5.7 MB)

my suricata version:
suricata-7.0.0-beta1

my system version:
CentOS7 Linux localhost.localdomain 3.10.0-1160.88.1.el7.x86_64 #1 SMP Tue Mar 7 15:41:52 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

check configuration:
./suricata --dump-config | grep tls
outputs.1.eve-log.types.5 = tls
outputs.1.eve-log.types.5.tls = (null)
outputs.1.eve-log.types.5.tls.extended = yes
outputs.3 = tls-log
outputs.3.tls-log = (null)
outputs.3.tls-log.enabled = yes
outputs.3.tls-log.filename = tls.log
outputs.3.tls-log.append = yes
outputs.4 = tls-store
outputs.4.tls-store = (null)
outputs.4.tls-store.enabled = yes
outputs.4.tls-store.certs-log-dir = certs
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443

I compiled and ran the suricata-6.0.13 version again, but still no certificate file saved.

Jeff_Lucovsky · August 31, 2023, 12:51pm

Hi,

I’m using Suricata master (which is more current than suricata-6.0.0-beta.1 but quite similar to your version with respect to tls cert handling).

After putting your rules into a rules file, the following command shows certs in the logging directory

 src/suricata -c suricata.yaml -r ~/tls.store.pcapng -l /tmp/ll -S ~/rules/tls-2.rules

The logging directory is /tmp/ll:

$ ls -l /tmp/ll/certs
total 188
-rw-rw-r-- 1 jlucovsky jlucovsky  474 Aug 31 08:47 1693385895.362631-3.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385895.362631-3.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  473 Aug 31 08:47 1693385895.389261-1.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385895.389261-1.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  473 Aug 31 08:47 1693385895.419460-2.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385895.419460-2.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  475 Aug 31 08:47 1693385900.181054-11.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385900.181054-11.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  472 Aug 31 08:47 1693385900.214346-4.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385900.214346-4.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  406 Aug 31 08:47 1693385900.544730-7.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 5623 Aug 31 08:47 1693385900.544730-7.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  472 Aug 31 08:47 1693385901.212278-5.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385901.212278-5.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  473 Aug 31 08:47 1693385901.538337-6.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385901.538337-6.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  448 Aug 31 08:47 1693385902.706834-8.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6469 Aug 31 08:47 1693385902.706834-8.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  475 Aug 31 08:47 1693385902.970572-9.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385902.970572-9.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  449 Aug 31 08:47 1693385903.318103-10.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6469 Aug 31 08:47 1693385903.318103-10.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  448 Aug 31 08:47 1693385903.360737-12.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6469 Aug 31 08:47 1693385903.360737-12.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  485 Aug 31 08:47 1693385912.905244-14.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 4212 Aug 31 08:47 1693385912.905244-14.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  381 Aug 31 08:47 1693385918.152287-13.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 7977 Aug 31 08:47 1693385918.152287-13.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  473 Aug 31 08:47 1693385926.697131-15.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 6603 Aug 31 08:47 1693385926.697131-15.pem
-rw-rw-r-- 1 jlucovsky jlucovsky  376 Aug 31 08:47 1693385927.229784-16.meta
-rw-rw-r-- 1 jlucovsky jlucovsky 3635 Aug 31 08:47 1693385927.229784-16.pem

Perhaps there’s a permissions issue on the logging directory you’re using?

Marco-su · September 1, 2023, 6:27am

I’m running suricata as root.

Andreas_Herz · September 13, 2023, 9:21pm

please post your full config so we can validate it.

Topic		Replies	Views
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	690	June 8, 2023
Md5file not alerting Help ips , community , rules , suricata	3	358	July 13, 2022
Why suricata don't generate filehash for alerts Help	17	1873	September 15, 2023
Suricata and TLS Termination: how to log the original src and dst Help	9	695	September 22, 2020
Suricata does not create alerts following attack tests Help suricata	4	888	November 9, 2022

Tls.store Why tls certificate file save failed？

Related Topics