From db563ed4b0fae6ab799028f458ff76ceb0d410ef Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 2 May 2014 14:20:13 +0200 Subject: [PATCH] tls: check SSL3/TLS version per record Set event if SSL3/TLS record isn't within the acceptable range. --- rules/tls-events.rules | 3 ++- src/app-layer-ssl.c | 10 ++++++++++ src/app-layer-ssl.h | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/rules/tls-events.rules b/rules/tls-events.rules index 0dfaa8a567..f9e886894f 100644 --- a/rules/tls-events.rules +++ b/rules/tls-events.rules @@ -8,6 +8,7 @@ # alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; flow:established; app-layer-event:tls.invalid_tls_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; rev:1;) +alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230015; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; flow:established; app-layer-event:tls.invalid_record_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;) @@ -23,4 +24,4 @@ alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;) -#next sid is 2230015 +#next sid is 2230016 diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index b4993b4cd4..fc7583b1d0 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -58,6 +58,7 @@ SCEnumCharMap tls_decoder_event_table[ ] = { /* TLS protocol messages */ { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER }, { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER }, + { "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION }, { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE }, { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE }, { "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT }, @@ -831,6 +832,15 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, return parsed; } + /* check record version */ + if (ssl_state->curr_connp->version < SSL_VERSION_3 || + ssl_state->curr_connp->version > TLS_VERSION_12) { + + AppLayerDecoderEventsSetEvent(ssl_state->f, + TLS_DECODER_EVENT_INVALID_RECORD_VERSION); + return -1; + } + switch (ssl_state->curr_connp->content_type) { /* we don't need any data from these types */ diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index fca4f4ed77..1e5bbebddb 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -33,6 +33,7 @@ enum { /* TLS protocol messages */ TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, TLS_DECODER_EVENT_INVALID_TLS_HEADER, + TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, -- 2.47.3