From d3ddf3c98c59df22b1dffec4cda23ba59e1ceccd Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Thu, 1 Nov 2018 23:18:04 +0100 Subject: [PATCH] Add test for TLS 1.3 draft 18 --- tests/tls13-draft18/README.md | 8 ++++++++ tests/tls13-draft18/suricata.yaml | 25 +++++++++++++++++++++++ tests/tls13-draft18/test.yaml | 19 +++++++++++++++++ tests/tls13-draft18/tls13_draft18.pcapng | Bin 0 -> 6372 bytes 4 files changed, 52 insertions(+) create mode 100644 tests/tls13-draft18/README.md create mode 100644 tests/tls13-draft18/suricata.yaml create mode 100644 tests/tls13-draft18/test.yaml create mode 100644 tests/tls13-draft18/tls13_draft18.pcapng diff --git a/tests/tls13-draft18/README.md b/tests/tls13-draft18/README.md new file mode 100644 index 000000000..8803a40cb --- /dev/null +++ b/tests/tls13-draft18/README.md @@ -0,0 +1,8 @@ +Simple test that tests a TLS 1.3 draft 18 pcap file from Wireshark issue +tracker [1]. + +PCAP URL: + https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15156 + +[1] "12779 - Add TLS 1.3 support" +https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779 diff --git a/tests/tls13-draft18/suricata.yaml b/tests/tls13-draft18/suricata.yaml new file mode 100644 index 000000000..7a29ad442 --- /dev/null +++ b/tests/tls13-draft18/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +include: ../../etc/suricata-3.1.2.yaml + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - tls: + extended: yes # enable this for extended logging information + +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello + ja3-fingerprints: yes + + encrypt-handling: bypass diff --git a/tests/tls13-draft18/test.yaml b/tests/tls13-draft18/test.yaml new file mode 100644 index 000000000..f2912a6c5 --- /dev/null +++ b/tests/tls13-draft18/test.yaml @@ -0,0 +1,19 @@ +min-version: 4.1.0 + +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: tls + tls.version: "TLS 1.3 draft-18" + tls.ja3.hash: "23d254f72096d25c350e4a4a792f4948" + tls.ja3.string: "771,4865-4866-4867-49195-49199-158-49196-49200-159-52393-52392-52244-52243-49161-49187-49171-49191-51-103-49162-49188-49172-49192-57-107-156-157-47-60-53-61-10,65281-23-35-13-11-40-45-43-10,29-23-24,0" diff --git a/tests/tls13-draft18/tls13_draft18.pcapng b/tests/tls13-draft18/tls13_draft18.pcapng new file mode 100644 index 0000000000000000000000000000000000000000..c8100f0c7891874b47c7f8d4b4c5f73a95635b8f GIT binary patch literal 6372 zc-oDb2|QHa`^V4B7zPo>o@#{bd)6efM2cizl6}dV8EZ_kBo(qtNtS$(C`+W$l&BEd z_mF&%QmCY)|Ggtw^6med*Xz9QIqtd7`#hiLob%js(a_P+m;wL}DG75TpzF_HKNMgB z2VFdT{BgU)6vQM%B}G+_sA&N}0XTrVkGq$hjTcV9#KqeI?`-4kDu|O3lMs^uOF!5i zY)k#u6@Cf{(7@M$;4A^PsG+}7L)T6J!2rLWrGyIMm(6|85}8BvBLfVfI$T2A=BxzS zq%bx5O^XH*AekKn6%1OnBOgSRMvI6Ws8U(v)`I0bT@8 zDtFI77dJN>l&7~7+yg<_fSF-(_HRrfGE;Ot(~0yyF}YTl42Tux6<>>>_fQ=!OSC02 znK}5Z0{~@4#|fARbAb#*ZLscm+Il(!_5u?7|M8QwiQEq$L;%GuTv8Q@39^C!$ZPI@pM!i~URrwjzO)?D&J*e53RZPurG#!sNk}aBk&;2# zdAk46Lr!v~$1aqI16g)h2Uw41t75Quu_-7Is^@K_N7}P4SPv(WHF}&WJLyCs>p_mg z-(vs`j1umJ3I|#n4~+3w)7cYGaJRt|9K0!Q+-(9qJ;;tNF}QGK3rs#xOF!hQO9=vZyW*vuF zXhKUc%v;N{U&We9ITgDPu5aYmuG)68Uo`9d%7J)tAq-%&ofh%~LH4PM%p%){83$Lb z2_MHZu|iNAF6$WxuG$WmagBRJ20O%bI_CvzEf|CDgHw8CEJ9 zml(v9Y6ivWPK{q>C>dvkq{1SwNGysZOcDoINg^Z(kkOdmnAgbMh$T^zct}_hKad7a zBpMPgiJ2q-6o4zZ0@8svq_Ygz185+S?@#iIV}rcmfeIa9222zv3T98_3F%FA>^b=UpPwTt@i(56Z(Du-+ z35~!#sT^s*;cEe_(OE6_FIra%?AcHVjK%Sr{-indkl3`iZlNk`ke>E!{!JJq;r*ne z6vuz+r(7$S!lMa8R@_DQNnFo&kt&H!c_JQ)2}YiATgH`oD^e3rjlZ?J_53399XZU| zncLk)o48K-sD8)AD|9g2WH|Dbt5Ut4U&-xb$)|9y_RVz#pQX*-UES=U zv?VB2_lu~HP-d5BQ@2VHWnet*k5}J#N`>x|7wej+B&F8kNu)(`dSxCHM)wNJH6h zmBh}^^v7sxja!9SWCotMJ#Ks5MVISTqRk?5n}K`Oztezz^q`oqiLj2WpnKGCmyW~; z`t!xiRL`xS$};?mGW|Lq=w;CI&m>33Neru^DbFj}71^P}=iD8heB)7=)Vw`U7iQv$ zwX_K-;3Hhrk-U*{Z|+skpiAnhO?Alw!p~+q$7W3<)Y{%pC2w_oV*mJ5Y9UQq98R`~ z)%h~tCFPy34JB&`_!6^RH}9*#22|~zMeLBotf~_g7HLe{&AnO8q;wWN?P=}yp&22K zLG7!dk^k~K(7vdXK#{}>x~BVZ!Q9VuDt`=!QeMX&;o4qWQFR*AKE~Y}UXFXdztW}3 zd+^kUXnhxcx6z_NYl_}Oa(5JikoQ{H8%?gBjotSnb*#lVoBiZw@i=AutZn%;=8np; z*JJZqDzpQ9jN0NI(EsFb=OL7zYAPQmg(&8-Wuox#U44PAESy^HGLQGA@H^?CEqqF}lE!9rB^ok}e$t*idx zkCN3QkqnBO3MVf&$HxnaezTp|2`B;@hn#CPx{ivM9>G`KvFESqHjMJt5*au%%N*|B zrV`z_s5W-FH+Ysyj6zvVmYKD_dzSyrcQ@(m64tF=9hxrsoi7guz0p3jIbYs{LH1g3It3tZ{hZ z?)kKKZs7@`9Y~d_n(br7XD*adM);qcDJ7N!246(H#>$4~Td-J(YJX9^RTwVZDoZWF zhhdQ)@_PEIHL*!H+A|%OvaRyQ`LG?=4-$@v|9E6TTgB$~%dai|4-NPl=KFgJru*>ULUSYx^$yl=115g(qv&HPJF?dtlLYPG-&S(^lrVV@|D7Z5qgEK*BdDy)P#Z4ma|9~7^(UMoZac2c5tt-$j$j9U zg*9t)#If>^Nwk-X$IdMpRRmRHZOm;B>e7*9o;^vVYQ3wZDtF{Q&7Gh=leu=KnJdEs zZx5t~mDFJUZb`gE9eZ#_yoH{suQv)D)@r$o^wN%NWD%_oSDEg#o0G@LvzAN6qYRV{ zOpT;A4=X;d4f9uK<$Sw`-SDhzwqcI-xuSXQDEiQ9QJx5@QM`Fazl@2ze9zas(-Jpi z(nGPsGsG^_E}wW}o-=y81^fhe;hXWwf$v#2cPz&+l1`i4$#C0L`W-XZ)5#{TX5mr zk;3>UzWpe;TVC2_Gp(+F^!4?!g_l2~(w~K%pEk{xkuP#@d@i#nr=4SdSF3F5<2mkz ztm21_^gIV7sc~K}I3MM;?|{S~nf zN9B`oC39SMc`<1wKldE1kyG#ZAQT=sh<(AUZ7*9pXEE!}*cN(rTcwTH=lliFP)&a! zF<&i0 z{LU`0C)6p1yD!r}I>leu$(j$hqO%nQK>yU^f9~fyOS=S$hif6j3L~57_0E{g z#JG&(Ko^sy)%f8-*%;bl;allu$&%{guUlZxw&9pzr~iSDZ$MvGeY zS~xUtjtlnxV-+#QopDisnJ=Ya__e!}fbKp%fq4aN#-WnR#nacF3 znBAPdAvr$U(Q+f+@hz9wlTiQMjMM=Zm9-D^(^-=#>#J95%g@oJBvsx`@LcK!ZvybPW7 zm;IrOygyL=xj)cOg)kr({(FD8vWgKqcqA(bst0Yv@Tl!3zwR27lWL))9el>hTAyN-TjG;m&h;=?#es zR_7J3Y;fk;rsY`r-|x_E}R*N#khEUV6Us~8^EoVSIb zy3l$CbTWsIGZX-^)TW_c{;onk>yvG)x24Co<+rUhx-Hv6F129`tF12E3R-2W0mN6E zL3Oi@VxUvoOOC<&bupOy9fKXqF_^7^{fA?~^p-F&@$YSVf7y;2gva2f*CqzPnCo>n zv>0vti|$CW?)U%HT?h&5zGu&}?wyZe{)+B6#0sM=bgpp`sxNND_}GSm8KplrWI#FC zYi2D2_OGI&Yu1@Z;2~OqA!RDiq#TvdS8C`u)<0!{u_tLEG<@V@e@>#kw(AnRt5q)s za&i~&(&?8AA&R~eh8;%O_FPxtaEkQer_0`YF6alPA@=HB4*q<|7at7}APanaY#5{;Z4o=o8_`%V34$6AA< z^H{>%h?QS=9*@N5T^dSN=yTV9XG|}woa#}0@Y37(wC}W)CwxV_zU1L~Jw%v^AH@Xx zr$S;T?}b#}p2WV`$#HVC)1#_3CD+yz<>R+xx&&W5H>Mftyf_>1G%d_{j3sh_-S&G3 zMRq|%#Laz~EpJc}t_S=VoDSDaZoOB?W&aMe**sMS&FuBptO}dt6X(+g z+2efFo1beI$`~(cx_)hG56v~2Lv{0w=H9_JG