SURICATA TLS certificate invalid der

velifire · 1 October 2023 10:25

After a fresh install of IPFire 2.27 (x86_64) - core179 and following a restore, I have noticed my IPS log is flooded with the following message

Googling the error it appears to be related to a Suricata issue

github.com/signalapp/Signal-Android

TLS certificate invalid der (Signal self-signed certificate)

opened 11:08PM - 31 Oct 22 UTC

closed 12:11PM - 01 Nov 22 UTC

sengork

- [x] I have searched open and closed issues for duplicates - [x] I am submitti…ng a bug report for existing functionality that does not work as intended - [x] I have read https://github.com/signalapp/Signal-Android/wiki/Submitting-useful-bug-reports - [x] This isn't a feature request or a discussion topic ---------------------------------------- ### Bug description Signal's live servers utilise certificate which is blocked by Suricata rule (this did not occur in the past using the same setup): GID:SID 1:2230027 alert tls any any -> any any (msg:"SURICATA TLS certificate invalid der"; flow:established; app-layer-event:tls.certificate_invalid_der; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230027; rev:1;) This is related to rules in https://github.com/OISF/suricata/blob/master/rules/tls-events.rules ### Steps to reproduce - Send message on Signal on Android - Observe Suricata IDS rules start blocking multiple IP addresses on *.awsglobalaccelerator.com associated with Signal client-server network flows (eg. ac88393aca5853df7.awsglobalaccelerator.com) - Disabling the rule fixes the issue immediately **Actual result:** Messages are not sent/received **Expected result:** Messages should be sent/received successfully ### Screenshots N/A ### Device info **Android version:** 10 **Signal version:** 6.0.6 ### Link to debug log $ openssl s_client -connect ac88393aca5853df7.awsglobalaccelerator.com:443 CONNECTED(00000003) depth=1 C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger

Is there a way around this at them moment other than disable IPS on RED interface ?

=====

11:18:14	suricata:	rule reload complete
11:18:14	suricata:	cleaning up signature grouping structure... complete
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.PS.Download' is checked but not se t. Checked in 2032169 and 3 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.bit.do.shortener' is checked but n ot set. Checked in 2029550 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'http.dottedquadhost' is checked but n ot set. Checked in 2021076 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 9 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. C hecked in 2019835 and 3 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but no t set. Checked in 2027704 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set . Checked in 2027402 and 4 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. C hecked in 2024241 and 1 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Che cked in 2019837 and 1 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is chec ked but not set. Checked in 2022053 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set . Checked in 2021312 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Che cked in 2020569 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not se t. Checked in 2019896 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is che cked but not set. Checked in 2013036 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'exe.no.referer' is checked but not se t. Checked in 2020500 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked bu t not set. Checked in 2018428 and 1 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'dcerpc.rpcnetlogon' is checked but no t set. Checked in 2030870 and 6 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but no t set. Checked in 2017181 and 11 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not se t. Checked in 2017150 and 3 other sigs
11:18:01	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017247 and 0 other sigs
11:18:01	suricata:	28526 signatures processed. 1054 are IP-only rules, 4901 are inspecting packet p ayload, 22367 inspect application layer, 108 are decoder event only
11:18:00	suricata:	Threshold config parsed: 0 rule(s) found
11:18:00	suricata:	48 rule files processed. 28526 rules successfully loaded, 114 rules failed
11:17:55	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXT ERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible RustyBuer Server Res ponse"; flowbits:isset,ET.rustybuer; ja3s.hash; content:"f6dfdd25d1522e4e1c7cd09 bd37ce619"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknow n; sid:2032960; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_0 5_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, perfo rmance_impact Low, signature_severity Major, updated_at 2021_05_13;)" from file /var/lib/suricata/emerging-ja3.rules at line 245
11:17:55	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
11:17:55	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Mall eable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961 a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbit s:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid: 2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B it, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, upd ated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Contro l, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /var/lib/suricata/emerging-ja3.rules at line 41
11:17:55	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
11:17:54	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp ![$S MTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for loc alhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; cl asstype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated _at 2019_09_03;)" from file /var/lib/suricata/emerging-dns.rules at line 91
11:17:54	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule addres s range is NIL. Probably have a !any or an address range that supplies a NULL ad dress range
11:17:35	suricata:	Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
11:17:35	suricata:	Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
11:17:35	suricata:	Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
11:17:35	suricata:	Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
11:17:35	suricata:	rule reload starting
11:17:35	suricata:	Signature(s) loaded, Detect thread(s) activated.
11:17:35	suricata:	rule reload complete
11:17:35	suricata:	cleaning up signature grouping structure... complete
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.PS.Download' is checked but not se t. Checked in 2032169 and 3 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.bit.do.shortener' is checked but n ot set. Checked in 2029550 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'http.dottedquadhost' is checked but n ot set. Checked in 2021076 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 9 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. C hecked in 2019835 and 3 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but no t set. Checked in 2027704 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set . Checked in 2027402 and 4 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. C hecked in 2024241 and 1 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Che cked in 2019837 and 1 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is chec ked but not set. Checked in 2022053 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set . Checked in 2021312 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Che cked in 2020569 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not se t. Checked in 2019896 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is che cked but not set. Checked in 2013036 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'exe.no.referer' is checked but not se t. Checked in 2020500 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked bu t not set. Checked in 2018428 and 1 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'dcerpc.rpcnetlogon' is checked but no t set. Checked in 2030870 and 6 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but no t set. Checked in 2017181 and 11 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not se t. Checked in 2017150 and 3 other sigs
11:17:00	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017247 and 0 other sigs
11:17:00	suricata:	28526 signatures processed. 1054 are IP-only rules, 4901 are inspecting packet p ayload, 22367 inspect application layer, 108 are decoder event only
11:16:59	suricata:	Threshold config parsed: 0 rule(s) found
11:16:59	suricata:	48 rule files processed. 28526 rules successfully loaded, 114 rules failed
11:16:55	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXT ERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible RustyBuer Server Res ponse"; flowbits:isset,ET.rustybuer; ja3s.hash; content:"f6dfdd25d1522e4e1c7cd09 bd37ce619"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknow n; sid:2032960; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_0 5_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, perfo rmance_impact Low, signature_severity Major, updated_at 2021_05_13;)" from file /var/lib/suricata/emerging-ja3.rules at line 245
11:16:55	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
11:16:55	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Mall eable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961 a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbit s:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid: 2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B it, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, upd ated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Contro l, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /var/lib/suricata/emerging-ja3.rules at line 41
11:16:55	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
11:16:54	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp ![$S MTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for loc alhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; cl asstype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated _at 2019_09_03;)" from file /var/lib/suricata/emerging-dns.rules at line 91
11:16:54	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule addres s range is NIL. Probably have a !any or an address range that supplies a NULL ad dress range
11:16:39	suricata:	Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
11:16:39	suricata:	Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
11:16:39	suricata:	Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
11:16:39	suricata:	Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
11:16:39	suricata:	rule reload starting
11:16:39	suricata:	all 4 packet processing threads, 2 management threads initialized, engine starte d.
11:16:39	suricata:	fail-open mode should be set on queue
11:16:39	suricata:	setting nfnl bufsize to 6144000
11:16:39	suricata:	setting queue length to 4096
11:16:39	suricata:	binding this thread 3 to queue '3'
11:16:39	suricata:	fail-open mode should be set on queue
11:16:39	suricata:	setting nfnl bufsize to 6144000
11:16:39	suricata:	setting queue length to 4096
11:16:39	suricata:	binding this thread 2 to queue '2'
11:16:39	suricata:	fail-open mode should be set on queue
11:16:39	suricata:	setting nfnl bufsize to 6144000
11:16:39	suricata:	setting queue length to 4096
11:16:39	suricata:	binding this thread 1 to queue '1'
11:16:39	suricata:	fail-open mode should be set on queue
11:16:39	suricata:	setting nfnl bufsize to 6144000
11:16:39	suricata:	setting queue length to 4096
11:16:39	suricata:	binding this thread 0 to queue '0'
11:16:39	suricata:	Packets will start being processed before signatures are active.
11:16:39	suricata:	fast output device (regular) initialized: fast.log
11:16:39	suricata:	dropped the caps for main thread
11:16:39	suricata:	NFQ running in REPEAT mode with mark 2147483648/2147483648
11:16:39	suricata:	Enabling fail-open on queue
11:16:39	suricata:	HTTP memcap: 268435456
11:16:39	suricata:	CPUs/cores online: 4
11:16:39	suricata:	This is Suricata version 6.0.13 RELEASE running in SYSTEM mode
11:16:39	suricata:	Signal Received. Stopping engine.
11:16:39	suricata:	Signature(s) loaded, Detect thread(s) activated

velifire · 1 October 2023 13:11

So far I have found how to disable the rule by

cd /usr/share/suricata/rules
nano tls-events.rules
/etc/init.d/suricata restart

Then I have commented out the relevant rule with text : SURICATA TLS certificate invalid der

bonnietwin · 1 October 2023 13:42

I think the rule must be triggering on something though. I don’t have any of those messages in any of my suricata fastlogs.

Following your link, it looks like a fix for suricata has been submitted but it consists of something like 24 different commits.

It seems like the fix is beiung merged into the suricata-7.x branch but currently IPFire is running on the suricata-6.x branch which is the current stable release.

The change from branch 6 to branch 7 is a major change so changing to it will require some significant testing.

Apparently in branch 7 the default action for any rule will be to block it, unlike with branch 6 where the default is to pass unless it has been changed to block in the signature.

This could result in signatures that by default allowed traffic in the past would block it with branch 7.

I am not certain but this might mean that different signature sets are needed for branch 7 as compared to branch 6

velifire · 1 October 2023 15:56

I have read somewhere else that similar error was related to MTU values causing packet truncation; however I have been using the default MTU values in my network (rather custom ones)

Btw, I get also (but less frequently to bother about)

SURICATA STREAM 3way handshake excessive different SYNs
SURICATA STREAM 3way handshake SYN/ACK ignored TFO data