From: Philippe Antoine Date: Tue, 3 Sep 2024 14:04:09 +0000 (+0200) Subject: tls/ja3: adds test with duplicate handshake X-Git-Tag: suricata-7.0.7~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2028%2Fhead;p=thirdparty%2Fsuricata-verify.git tls/ja3: adds test with duplicate handshake Ticket: 6634 --- diff --git a/tests/tls-duplicate-hello/README.md b/tests/tls-duplicate-hello/README.md new file mode 100644 index 000000000..a2a3f73a9 --- /dev/null +++ b/tests/tls-duplicate-hello/README.md @@ -0,0 +1,9 @@ +# Description + +Test ja3 on tls with duplicate hello + +https://redmine.openinfosecfoundation.org/issues/6634 + +# PCAP + +The pcap is crafted from srv.go and cli.py diff --git a/tests/tls-duplicate-hello/cli.py b/tests/tls-duplicate-hello/cli.py new file mode 100644 index 000000000..d9dc7a608 --- /dev/null +++ b/tests/tls-duplicate-hello/cli.py @@ -0,0 +1,15 @@ +import socket +import binascii + +HOST = "127.0.0.1" # The server's hostname or IP address +PORT = 8443 # The port used by the server + +with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.connect((HOST, PORT)) + data = binascii.unhexlify("160301012401000120030339a503494c046e85568afb480faeb91fb861a479b4f9ef85dfa60844a0b86f6700003a1302130313011304c02ccca9c0adc00ac02bc0acc009c030cca8c014c02fc013009dc09d0035009cc09c002f009fccaac09f0039009ec09e0033010000bd000500050100000000000a000400020017000b00020100000d0020001e040108090804040308070501080a080505030601080b08060603020102030016000000170000002300000033004700450017004104519c7aa7e7b5163a55d3d116c293f717b123909e9bda1bf256972c3ddb2b730db0016c13ae75255b38d1c7591e3611381e20e614ee9cba9402dae5ea6159e749002b0009080304030303020301ff010001000000000e000c0000096c6f63616c686f7374002d0003020100") + s.sendall(data) + data2 = binascii.unhexlify("160301012401000120030339a503494c046e85568afb480faeb91fb861a479b4f9ef85dfa60844a0b86f6700003a1302130313011304c02ccca9c0adc00ac02bc0acc009c030cca8c014c02fc013009dc09d0035009cc09c002f009fccaac09f0039009ec09e0033010000bd000500050100000000000a000400020017000b00020100000d0020001e040108090804040308070501080a080505030601080b08060603020102030016000000170000002300000033004700450017004104519c7aa7e7b5163a55d3d116c293f717b123909e9bda1bf256972c3ddb2b730db0016c13ae75255b38d1c7591e3611381e20e614ee9cba9402dae5ea6159e749002c0009080304030303020301ff010001000000000e000c0000096c6f63616c686f7374002d0003020100") + s.sendall(data2) + data = s.recv(1024) + +print(f"Received {data!r}") diff --git a/tests/tls-duplicate-hello/input.pcap b/tests/tls-duplicate-hello/input.pcap new file mode 100644 index 000000000..1a22faae0 Binary files /dev/null and b/tests/tls-duplicate-hello/input.pcap differ diff --git a/tests/tls-duplicate-hello/srv.go b/tests/tls-duplicate-hello/srv.go new file mode 100644 index 000000000..bf42f3a57 --- /dev/null +++ b/tests/tls-duplicate-hello/srv.go @@ -0,0 +1,29 @@ +package main + +import ( + // "fmt" + // "io" + "net/http" + "log" +) + +/* +openssl genrsa -out server.key 2048 +openssl ecparam -genkey -name secp384r1 -out server.key +openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650 +*/ + +func HelloServer(w http.ResponseWriter, req *http.Request) { + w.Header().Set("Content-Type", "text/plain") + w.Write([]byte("This is an example server.\n")) + // fmt.Fprintf(w, "This is an example server.\n") + // io.WriteString(w, "This is an example server.\n") +} + +func main() { + http.HandleFunc("/hello", HelloServer) + err := http.ListenAndServeTLS(":8443", "server.crt", "server.key", nil) + if err != nil { + log.Fatal("ListenAndServe: ", err) + } +} diff --git a/tests/tls-duplicate-hello/test.rules b/tests/tls-duplicate-hello/test.rules new file mode 100644 index 000000000..555ac2cd8 --- /dev/null +++ b/tests/tls-duplicate-hello/test.rules @@ -0,0 +1 @@ +alert tls any any -> any any (msg:"ja3.string test"; ja3.string; content:"771,"; sid:1;) \ No newline at end of file diff --git a/tests/tls-duplicate-hello/test.yaml b/tests/tls-duplicate-hello/test.yaml new file mode 100644 index 000000000..d1243a53b --- /dev/null +++ b/tests/tls-duplicate-hello/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 8 + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: tls + tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23,0"