0xtf
commented
3 months ago Hi @geofflowemn, thanks for the report. Let us look into it and we'll update this shortly.
Closed geofflowemn closed 2 months ago
0xtf
commented
3 months ago Hi @geofflowemn, thanks for the report. Let us look into it and we'll update this shortly.
0xtf
commented
3 months ago It seems T4 is still triggering 2022134 and 2020493 as long as they are rev4 and rev3 respectively, which is one revision behind the current one.
07/19/2024-21:23:12.786546 [**] [1:2022134:4] ET WEB_CLIENT Possible eDellRoot Rogue Root CA [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 104.154.89.105:443 -> X.X.X.X:4008807/19/2024-21:23:13.015766 [**] [1:2020493:3] ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 104.154.89.105:443 -> X.X.X.X:40102Unfortunately, the reason for the updated revision is because they were disabled (hence the # in the beginning of the current version) in their latest update by Proofpoint.
We'll do a revisit of the current ruleset and come up with additional tests. I'm sure there are other CA's or certificates we can use.
We'll leave this issue open for tracking and we'll close (and notify) once we push out new tests, @geofflowemn.
heyibrahimkhan
commented
2 months ago @geofflowemn , hopefully the latest update to the master resolves it for you.
Feel free to try the latest update on master (that is out just now) and let us know.
geofflowemn
commented
2 months ago @heyibrahimkhan , Thanks for the update.
I ran through each of the new sites listed in test_badcas(), but only the last one, "curl -s https://beetrootculture.com/" actually triggered a Suricata alert for me. Perhaps it's due to the Suricata rules I have configured for use...?
For example, I am not running "ET INFO" which would have triggered on "curl -s https://adguard.clroot.io/".
My firewall is also configured to use Quad9 for DNS resolution. Perhaps some of these are blocked by that?
In any case, there is one that I can use. Thank you!
heyibrahimkhan
commented
2 months ago Yes. As you explained, there can be multiple factors that can affect rule trigger.
That was one motivation to add multiple tests under the individual test types.
Hello.
I use your tool faithfully to test my NIDS system (Suricata on OPNsense) and within the last couple of months, I have noticed that test 4, Bad Certificate Authorities, no longer seems to trigger a Suricata alert.
If I'm understanding the fields in the rule set(s) (https://rules.emergingthreats.net/open/suricata-7.0.3/emerging-all.rules) correctly, could it be because the rules for both certificates (edellroot and superfish) contain "deprecation_reason Age"?
Does this mean the rules aren't actually triggering anymore?
Is there a different certificate that could be used for the test now?