Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Intrusion Detection blocking site
« previous
next »
Print
Pages: [
1
]
Author
Topic: Intrusion Detection blocking site (Read 3495 times)
AngusStewart
Newbie
Posts: 2
Karma: 0
Intrusion Detection blocking site
«
on:
July 09, 2020, 01:19:32 pm »
Using Chrome to try and access
www.plus.net
I get the following block from IDS
Alert ET INFO TLS Handshake Failure
Alert sid 2029340
Protocol TCP
Source IP 212.159.8.2
Destination IP 192.168.0.101
Source port 443
Destination port 62196
Interface LAN
When I use Firefox I have no problem. Can anyone shed light on this?
Using OPNsense 20.1.8_1-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Logged
sja1440
Jr. Member
Posts: 86
Karma: 6
Re: Intrusion Detection blocking site
«
Reply #1 on:
July 09, 2020, 03:57:20 pm »
I am not an expert but here are some suggestions that come to mind.
I believe that the rule 2029340 is classed as "informational". That means that before assigning a drop action to it you should determine whether within your own environment it is appropriate to drop the packet (or indeed activate the rule).
The technical meaning of the rule can be found from
https://doc.emergingthreats.net/bin/view/Main/WebSearch?search=2029340&scope=all&web=Main
. Here is what it says for 2029340:
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO TLS Handshake Failure"; flow:established,to_client; dsize:7; content:"|15|"; depth:1; content:"|00 02 02 28|"; distance:2; within:4; fast_pattern; metadata: former_category INFO; classtype:bad-unknown; sid:2029340; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_01_30, updated_at 2020_01_30;)
My bit level knowledge of TLS is very rusty so I unable to tell you what the content 00 02 02 28 means. But given that Suricata has found an objectionable TLS message during the handshake from the server to the client, it seems plausible that the server did not like the TLS Client hello sent by Chrome but it does like the TLS Client Hello from Firefox.
I note that SSLlabs at
https://www.ssllabs.com/ssltest/analyze.html?d=www.plus.net
says that only TLS 1.2 is supported by
www.plus.net
.
My suggestions are:
(1) Do you really want to assign the Drop action to that Rule?
(2) Review your TLS cryptographic settings on Chrome by comparing then to those of Firefox. Including SSLVersionMin (not set to 1.3 is it?).
(3) Given that the problem is reproducible it might be worth your while capturing the TLS traffic (with Wireshark) to see what is going on.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Intrusion Detection blocking site