Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: AngusStewart on July 09, 2020, 01:19:32 PM

Title: Intrusion Detection blocking site
Post by: AngusStewart on July 09, 2020, 01:19:32 PM
Using Chrome to try and access www.plus.net I get the following block from IDS

Alert   ET INFO TLS Handshake Failure
Alert sid   2029340
Protocol   TCP
Source IP   212.159.8.2
Destination IP   192.168.0.101
Source port   443
Destination port   62196
Interface   LAN

When I use Firefox I have no problem. Can anyone shed light on this?

Using OPNsense 20.1.8_1-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Title: Re: Intrusion Detection blocking site
Post by: sja1440 on July 09, 2020, 03:57:20 PM
I am not an expert but here are some suggestions that come to mind.

I believe that the rule 2029340 is classed as "informational". That means that before assigning a drop action to it you should determine whether within your own environment it is appropriate to drop the packet (or indeed activate the rule).

The technical meaning of the rule can be found from https://doc.emergingthreats.net/bin/view/Main/WebSearch?search=2029340&scope=all&web=Main (https://doc.emergingthreats.net/bin/view/Main/WebSearch?search=2029340&scope=all&web=Main).  Here is what it says for 2029340:
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO TLS Handshake Failure"; flow:established,to_client; dsize:7; content:"|15|"; depth:1; content:"|00 02 02 28|"; distance:2; within:4; fast_pattern; metadata: former_category INFO; classtype:bad-unknown; sid:2029340; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_01_30, updated_at 2020_01_30;)

My bit level knowledge of TLS is very rusty so I unable to tell you what the content 00 02 02 28 means. But given that Suricata has found an objectionable TLS message during the handshake from the server to the client, it seems plausible that the server did not like the TLS Client hello sent by Chrome but it does like the TLS Client Hello from Firefox.

I note that SSLlabs at https://www.ssllabs.com/ssltest/analyze.html?d=www.plus.net (https://www.ssllabs.com/ssltest/analyze.html?d=www.plus.net) says that only TLS 1.2 is supported by www.plus.net.

My suggestions are:
(1) Do you really want to assign the Drop action to that Rule?
(2) Review your TLS cryptographic settings on Chrome by comparing then to those of Firefox. Including SSLVersionMin (not set to 1.3 is it?).
(3) Given that the problem is reproducible it might be worth your while capturing the TLS traffic (with Wireshark) to see what is going on.
Text only | Text with Images