firefox + SSLv3 + Snort Emerging woes

Support for security such as Firewalls and securing linux
Post Reply
User avatar
dmunk
Posts: 37
Joined: 2016/03/16 03:33:49

firefox + SSLv3 + Snort Emerging woes

Post by dmunk » 2016/03/22 03:22:25

Hello,

Anyone else using snort with emerging threats rule set? I just started having a ton of problems related to matches for sig_id 2019416 ( out bound POODLE risk). The match is spoty though. I get that this is not a SNORT or Emerging Threats forum; however, was wondering is anyone else using firefox had issues. Or, as I am thinking is the case, I am special. I have even pulled in the firefox latest from for mozilla to see if that helped with the logic being that it was firefox allowing an SSLv3 connection to be set up. Any way, I thought the client set what it allowed in the initial connection set up; that being said, the latest firefox is supposed to address that I thought.

Any help would be appreciated as I am not sure the older information related to addressing SSLv3 is still relevant. Again, input appreciated. I am just trying to rule out anything on the system before digging into the rule maybe being a bit greedy on its match or something.


EDIT :

In my case, all sessions with the following are getting matched :

The actual blocks being done :

Code: Select all

03/21/2016-19:56:51.653882  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-20:03:57.965801  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.101:443
03/21/2016-20:04:28.806374  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.102:443
03/21/2016-20:27:39.110696  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 157.56.141.114:443
03/21/2016-20:27:45.174199  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-20:45:56.258553  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:11:23.424291  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:16:23.405877  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:23:12.901352  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:28:14.403773  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:31:56.565142  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.190:443
03/21/2016-21:33:15.808408  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:38:16.825851  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:45:12.910182  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-22:09:44.907446  [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.190:443

The tls.logs :

Code: Select all

/root: grep 'google\|centos' /var/log/suricata/suricata_em27797/tls.log|grep -i sslv3
03/21/2016-19:56:51.608252 76.114.92.75:47486 -> 216.58.192.100:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-20:03:57.943915 76.114.92.75:48354 -> 74.125.196.101:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-20:04:28.806778 76.114.92.75:10569 -> 74.125.196.102:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-20:27:45.135834 76.114.92.75:29988 -> 216.58.192.100:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-20:54:11.194203 76.114.92.75:33448 -> 216.58.192.100:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-21:31:56.571349 76.114.92.75:19048 -> 74.125.196.190:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-21:31:56.543115 76.114.92.75:25312 -> 74.125.196.190:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-22:08:36.867880 76.114.92.75:32507 -> 216.58.192.100:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-22:09:44.883433 76.114.92.75:47798 -> 74.125.196.190:443  TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'


giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: firefox + SSLv3 + Snort Emerging woes

Post by giulix63 » 2016/03/22 09:08:11

Not using Snort on any of my systems, atm. Anyway, from Poodle wikipedia page:
Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released in December 2014, and has added support of TLS_FALLBACK_SCSV in Firefox 35.
Since we're on 38.7 ESR, I guess it's safe to assume we're protected.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

User avatar
TrevorH
Forum Moderator
Posts: 27384
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firefox + SSLv3 + Snort Emerging woes

Post by TrevorH » 2016/03/22 09:09:40

Perhaps it is something else on your machines that does not have SSLv3 disabled that is causing this traffic.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
dmunk
Posts: 37
Joined: 2016/03/16 03:33:49

Re: firefox + SSLv3 + Snort Emerging woes

Post by dmunk » 2016/03/22 16:12:48

Hello,

Thanks for checking in!

My assumption was the same as to what was allowed. I actually pulled the upstream version of firefox in and still was seeing the snort match. This match, when looking at the rule matches on the session set up. Now, testing the browser itself I was able to see that I was "Not Vulnerable". Testing was done using the two links below :

https://www.poodletest.com/
https://www.ssllabs.com/ssltest/ ( kept failing due to a weird TLS connection packet which was also flagged and dropped)

After looking at the rules that are doing the match I am thinking its due to, at least in my case, www.google.com trying to set up a SSLv3 connection which is matching the below rules. To be specific, the important piece is "ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"

Code: Select all


alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3;)

alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3;)

As it is, I am suppressing based on known targets which happen to be the sites that I wish to keep this active on. So, not a fix, but a work around to keep access to google search open.

So, I guess I'll ask on suricata and emerging threats forums. I'll leave this open since it seems it might help others once the solution comes up.

dmunk

Post Reply

Return to “CentOS 7 - Security Support”