I’m trying to write Suricata rule that could alert on older versions of TLS. I’d like to detect whether TLS older than 1.2 is used for any egress traffic from my network to the Internet. I’m using AWS Network Firewall with stateful Suricata rules based on strict ordering type. I wrote below rules and put them on top of the rules stack to make sure they’re processed first:
alert tls any any -> $EXTERNAL_NET any (tls.version:1.0; msg:"Match on negotiated TLS/SSL version - 1.0 detected"; sid:1; rev:1;)
alert tls any any -> $EXTERNAL_NET any (tls.version:1.1; msg:"Match on negotiated TLS/SSL version - 1.1 detected"; sid:2; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.0; msg:"Match version of SSL/TLS record - 1.0 detected"; sid:3; rev:1;)
alert tls any any -> $EXTERNAL_NET any (ssl_version:tls1.1; msg:"Match version of SSL/TLS record - 1.1 detected"; sid:4; rev:1;)
Then I was trying to generate some traffic:
curl -vvv --tlsv1.0 --tls-max 1.1 https://<some_example_urls_here>
Some additional info:
- In docs, I can see that AWS Network Firewall supports Suricata 6.0.2: https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html.
- AWS NF with Suricata is deployed into a separate network (VPC) between the network that has my workloads and the Internet. I have some pass rules to allow needed destination urls and the default drop established setting at the end.
- I can see flow logs for the traffic that goes to destination IPs. Pass rules work correctly.
- I have also created a simple alert rule that logs all egress traffic for the specific domain and it works.
The alert log doesn’t show any entries for the rules using tls.version and ssl_version so it looks like there may be something wrong with the rules.
I’m new to Suricata so I probably miss something important in above rules. Could anyone help me with this issue? Thank you.
