4. Suricata Emerging Threats Policy match for POODLE issue

Suricata Emerging Threats Policy match for POODLE issue

  • D

    Hello,

    I was wanting to see if anyone could let me know if I am seeing what seems to be a greedy match on a rule with Suricata.

    I am seeing multiple drops for "gen_id 1, sig_id 2019416":

    
alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3;)

#
alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3;)

    Being that the browser passes the test, I am thinking that https://www.google.com would be safe to use. However, when the session is set up, the rule will match on EGRESS and INGRESS with :

    
flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"

    Has anyone else had to deal with this? I dont like adding the rule to the suppress list since the sites it is matching on happen to be the sites that actually concern me the most.

    Browser tested with PASS using the following links :
    https://www.poodletest.com/
    https://www.ssllabs.com/ssltest/

    Browser Version Info :

    
firefox -v
Mozilla Firefox 45.0.1

    All settings are pretty much default with firefox.

    Thanks

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy