Trouble detecting SNI from pcap

Help
,
1

Suricata 7.0.5 installed from the PPA in the docker image ubuntu:22.04

My actual problem is related to TLS not being analyzed in Geneve encoded packets, but during the process of debugging, I found out I can’t even make my simple SNI alert work with a single https request in a pcap file.

So I noticed that the alert works when running in “online” mode and doesn’t work if I capture the same traffic using wireshark and run in “offline” mode with it. The pcap file was captured using wireshark on the host machine.

online command: suricata -c /etc/suricata/suricata.yaml -i eth0
offline command: suricata -c /etc/suricata/suricata.yaml -r capture.pcap (I also tried stream.midstream=true but doesn’t seem to make difference)

suricata.yaml (83.2 KB) (I’m almost sure I just changed the rules to remove suricata.rules and added my.rules)

capture.pcap (28.7 KB)

my.rules (only a single rule): alert tls any any -> any any (msg:"SNI example.com Detected"; tls.sni; content:"example.com"; nocase; classtype:policy-violation; sid:1000001; rev:1;)

Stats.log (which seems to indicate it read the pcap file correctly):

------------------------------------------------------------------------------------
Date: 5/14/2024 -- 02:24:11 (uptime: 0d, 00h 00m 00s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                                  | Total                     | 87
decoder.bytes                                 | Total                     | 28002
decoder.ipv4                                  | Total                     | 87
decoder.sll                                   | Total                     | 87
decoder.tcp                                   | Total                     | 87
tcp.syn                                       | Total                     | 3
tcp.synack                                    | Total                     | 3
tcp.rst                                       | Total                     | 6
decoder.avg_pkt_size                          | Total                     | 321
decoder.max_pkt_size                          | Total                     | 2948
flow.total                                    | Total                     | 3
flow.tcp                                      | Total                     | 3
flow.tcp_reuse                                | Total                     | 1
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 2
flow.wrk.flows_evicted                        | Total                     | 1
tcp.invalid_checksum                          | Total                     | 51
flow.end.state.new                            | Total                     | 3
flow.mgr.rows_per_sec                         | Total                     | 6553
flow.spare                                    | Total                     | 9800
memcap_pressure                               | Total                     | 5
memcap_pressure_max                           | Total                     | 5
flow.recycler.recycled                        | Total                     | 2
flow.recycler.queue_max                       | Total                     | 2
tcp.memuse                                    | Total                     | 3637248
tcp.reassembly_memuse                         | Total                     | 688128
flow.memuse                                   | Total                     | 7154304

eve.json (5.4 KB)

2

I have it alerting as expected, you can try adding the option -k none while reading the pcap.
Also i see max decoding 2948 , you may want to adjust he MTU on the NIC or the setting in yaml suricata/suricata.yaml.in at suricata-7.0.5 · OISF/suricata · GitHub - depending on how you run suricata in live mode.

{
  "timestamp": "2024-05-14T03:57:21.878782+0200",
  "flow_id": 444535617827966,
  "pcap_cnt": 21,
  "event_type": "alert",
  "src_ip": "192.168.122.197",
  "src_port": 59730,
  "dest_ip": "93.184.215.14",
  "dest_port": 443,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1000001,
    "rev": 1,
    "signature": "SNI example.com Detected",
    "category": "Potential Corporate Privacy Violation",
    "severity": 1
  },
  "tls": {
    "sni": "example.com",
    "version": "TLS 1.3",
    "ja3": {
      "hash": "f90b89c71cd5fbe70812533f80e7fc8d",
      "string": "771,4866-4867-4865-255,0-11-10-13172-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2"
    },
    "ja3s": {
      "hash": "15af977ce25de452b96affa2addb1036",
      "string": "771,4866,43-51"
    }
  },
  "app_proto": "tls",
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "bytes_toserver": 797,
    "bytes_toclient": 311,
    "start": "2024-05-14T03:57:21.431181+0200",
    "src_ip": "192.168.122.197",
    "dest_ip": "93.184.215.14",
    "src_port": 59730,
    "dest_port": 443
  },
  "payload": "FgMBAgABAAH8AwPHa3ivakm4HBb8SHFc90WcLA/M4sIQniBs4CB4YQ5AgyBs35ks8/RDH24Nz4uXaHr+M4O8QXFvmZgRTSKRVafpqAAIEwITAxMBAP8BAAGrAAAAEAAOAAALZXhhbXBsZS5jb20ACwAEAwABAgAKABYAFAAdABcAHgAZABgBAAEBAQIBAwEEM3QAAAAQAA4ADAJoMghodHRwLzEuMQAWAAAAFwAAADEAAAANAB4AHAQDBQMGAwgHCAgICQgKCAsIBAgFCAYEAQUBBgEAKwADAgMEAC0AAgEBADMAJgAkAB0AINM4DiSSqy3NeH7ENlY2vTIFLT+XvpfLlFuLOwYrOd50ABUA9gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
  "payload_printable": "............kx.jI....Hq\\.E.,...... l. xa.@. l..,..C.n\r...hz.3..Aqo...M\".U..........................example.com.........\n........................3t.........h2.http/1.1.........1...\r.................\n...............+......-.....3.&.$... .8.$..-.x~.6V6.2.-?.....[.;.+9.t..........................................................................................................................................................................................................................................................",
  "stream": 1,
  "packet": "AAQAAQAGUlQA8xxnAAAIAEUAADTVa0AAPwb2I8CoesVduNcO6VIBu7KSs2i/3v/WgBAA+3BbAAABAQgK4uRVcDQ4fXs=",
  "packet_info": {
    "linktype": 113
  }
}
2 Likes
3

Yeah, just tested with -k none and it worked perfectly with the pcap and geneve packets, thank you!

But were you able to run without disabling the checksum? I find it strange to have wrong checksums in such small test.

4

Depends on the capture I think, NICs by default offload that function hence it affects the capture.

1 Like