-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tests that flow is TLS and if SNI is expected.
- Loading branch information
1 parent
7b1c16a
commit bb2000c
Showing
4 changed files
with
136 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| Firewall: enforce TLS | ||
| ===================== | ||
|
|
||
| Rules to allow TCP setup, followed by TLS. Drop all else. |
101 changes: 101 additions & 0 deletions
101
tests/firewall/firewall-03-tcp-tls-enforce/suricata.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| %YAML 1.1 | ||
| --- | ||
|
|
||
| # Global stats configuration | ||
| stats: | ||
| enabled: yes | ||
| # The interval field (in seconds) controls the interval at | ||
| # which stats are updated in the log. | ||
| interval: 8 | ||
| # Add decode events to stats. | ||
| #decoder-events: true | ||
| # Decoder event prefix in stats. Has been 'decoder' before, but that leads | ||
| # to missing events in the eve.stats records. See issue #2225. | ||
| #decoder-events-prefix: "decoder.event" | ||
| # Add stream events as stats. | ||
| #stream-events: false | ||
|
|
||
| # Configure the type of alert (and other) logging you would like. | ||
| outputs: | ||
| - eve-log: | ||
| enabled: yes | ||
| filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
| filename: eve.json | ||
| types: | ||
| - alert: | ||
| # payload: yes # enable dumping payload in Base64 | ||
| # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log | ||
| # payload-printable: yes # enable dumping payload in printable (lossy) format | ||
| # packet: yes # enable dumping of packet (without stream segments) | ||
| # metadata: no # enable inclusion of app layer metadata with alert. Default yes | ||
| # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 | ||
| # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format | ||
|
|
||
| # Enable the logging of tagged packets for rules using the | ||
| # "tag" keyword. | ||
| tagged-packets: yes | ||
| # Enable logging the final action taken on a packet by the engine | ||
| # (e.g: the alert may have action 'allowed' but the verdict be | ||
| # 'drop' due to another alert. That's the engine's verdict) | ||
| # verdict: yes | ||
| - anomaly: | ||
| # Anomaly log records describe unexpected conditions such | ||
| # as truncated packets, packets with invalid IP/UDP/TCP | ||
| # length values, and other events that render the packet | ||
| # invalid for further processing or describe unexpected | ||
| # behavior on an established stream. Networks which | ||
| # experience high occurrences of anomalies may experience | ||
| # packet processing degradation. | ||
| # | ||
| # Anomalies are reported for the following: | ||
| # 1. Decode: Values and conditions that are detected while | ||
| # decoding individual packets. This includes invalid or | ||
| # unexpected values for low-level protocol lengths as well | ||
| # as stream related events (TCP 3-way handshake issues, | ||
| # unexpected sequence number, etc). | ||
| # 2. Stream: This includes stream related events (TCP | ||
| # 3-way handshake issues, unexpected sequence number, | ||
| # etc). | ||
| # 3. Application layer: These denote application layer | ||
| # specific conditions that are unexpected, invalid or are | ||
| # unexpected given the application monitoring state. | ||
| # | ||
| # By default, anomaly logging is enabled. When anomaly | ||
| # logging is enabled, applayer anomaly reporting is | ||
| # also enabled. | ||
| enabled: yes | ||
| # | ||
| # Choose one or more types of anomaly logging and whether to enable | ||
| # logging of the packet header for packet anomalies. | ||
| types: | ||
| # decode: no | ||
| # stream: no | ||
| # applayer: yes | ||
| #packethdr: no | ||
| - tls: | ||
| extended: yes # enable this for extended logging information | ||
| # output TLS transaction where the session is resumed using a | ||
| # session id | ||
| #session-resumption: no | ||
| # ja4 hashes in tls records will never be logged unless | ||
| # the following is set to on. (Default off) | ||
| # ja4: off | ||
| # custom controls which TLS fields that are included in eve-log | ||
| #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] | ||
| - files: | ||
| force-magic: no # force logging magic on all logged files | ||
| # force logging of checksums, available hash functions are md5, | ||
| # sha1 and sha256 | ||
| #force-hash: [md5] | ||
| - drop: | ||
| alerts: yes # log alerts that caused drops | ||
| flows: all # start or all: 'start' logs only a single drop | ||
| # EXPERIMENTAL per packet output giving TCP state tracking details | ||
| # including internal state, flags, etc. | ||
| # This output is experimental, meant for debugging and subject to | ||
| # change in both config and output without any notice. | ||
| #- stream: | ||
| # all: false # log all TCP packets | ||
| # event-set: false # log packets that have a decoder/stream event | ||
| # state-update: false # log packets triggering a TCP state update | ||
| # spurious-retransmission: false # log spurious retransmission packets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # allow tcp handshake | ||
|
|
||
| pass tcp any any <> any 443 (flow:not_established; sid:1;) | ||
|
|
||
| # allow tls | ||
|
|
||
| pass tls any any <> any 443 (flow:established; sid:2;) | ||
|
|
||
| # drop everything else | ||
|
|
||
| drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:3;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| pcap: ../../tls/tls-random/input.pcap | ||
|
|
||
| args: | ||
| - -k none | ||
| - --simulate-ips | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| event_type: alert | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| event_type: drop | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: tls | ||
| tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS |