Suricata Emerging Threats Policy match for POODLE issue



  • Hello,

    I was wanting to see if anyone could let me know if I am seeing what seems to be a greedy match on a rule with Suricata.

    I am seeing multiple drops for "gen_id 1, sig_id 2019416":

    
    alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3;)
    
    #
    alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3;)
    
    

    Being that the browser passes the test, I am thinking that https://www.google.com would be safe to use. However, when the session is set up, the rule will match on EGRESS and INGRESS with :

    
    flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"
    
    

    Has anyone else had to deal with this? I dont like adding the rule to the suppress list since the sites it is matching on happen to be the sites that actually concern me the most.

    Browser tested with PASS using the following links :
    https://www.poodletest.com/
    https://www.ssllabs.com/ssltest/

    Browser Version Info :

    
    firefox -v
    Mozilla Firefox 45.0.1
    
    

    All settings are pretty much default with firefox.

    Thanks


Log in to reply