Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata Emerging Threats Policy match for POODLE issue

    Firewalling
    1
    1
    947
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmunk last edited by

      Hello,

      I was wanting to see if anyone could let me know if I am seeing what seems to be a greedy match on a rule with Suricata.

      I am seeing multiple drops for "gen_id 1, sig_id 2019416":

      
alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3;)

#
alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3;)

      Being that the browser passes the test, I am thinking that https://www.google.com would be safe to use. However, when the session is set up, the rule will match on EGRESS and INGRESS with :

      
flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"

      Has anyone else had to deal with this? I dont like adding the rule to the suppress list since the sites it is matching on happen to be the sites that actually concern me the most.

      Browser tested with PASS using the following links :
      https://www.poodletest.com/
      https://www.ssllabs.com/ssltest/

      Browser Version Info :

      
firefox -v
Mozilla Firefox 45.0.1

      All settings are pretty much default with firefox.

      Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post