aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ikev1: add documentation for ikev1

Browse Source
pull/5961/head
frank honza 5 years ago committed by Victor Julien
parent 37940180a8
commit ab59ef0d79
4 changed files with 270 additions and 0 deletions
Show Stats Download Patch File Download Diff File

109
doc/userguide/output/eve/eve-json-format.rst
Unescape Escape View File

@ -1811,3 +1811,112 @@ Example of HTTP2 logging, of a request and response:
]
}
}
Event type: IKE
---------------
The parser implementations for IKEv1 and IKEv2 have a slightly different feature
set. They can be distinguished using the "version_major" field (which equals
either 1 or 2).
The unique properties are contained within a separate "ikev1" and "ikev2" sub-object.
Fields
~~~~~~
* "init_spi", "resp_spi": The Security Parameter Index (SPI) of the initiator and responder.
* "version_major": Major version of the ISAKMP header.
* "version_minor": Minor version of the ISAKMP header.
* "payload": List of payload types in the current packet.
* "exchange_type": Type of the exchange, as numeric values.
* "exchange_type_verbose": Type of the exchange, in human-readable form. Needs ``extended: yes`` set in the ``ike`` EVE output option.
* "alg_enc", "alg_hash", "alg_auth", "alg_dh", "alg_esn": Properties of the chosen security association by the server.
* "ikev1.encrypted_payloads": Set to ``true`` if the payloads in the packet are encrypted.
* "ikev1.doi": Value of the domain of interpretation (DOI).
* "ikev1.server.key_exchange_payload", "ikev1.client.key_exchange_payload": Public key exchange payloads of the server and client.
* "ikev1.server.key_exchange_payload_length", "ikev1.client.key_exchange_payload_length": Length of the public key exchange payload.
* "ikev1.server.nonce_payload", "ikev1.client.nonce_payload": Nonce payload of the server and client.
* "ikev1.server.nonce_payload_length", "ikev1.client.nonce_payload_length": Length of the nonce payload.
* "ikev1.client.client_proposals": List of the security associations proposed to the server.
* "ikev1.vendor_ids": List of the vendor IDs observed in the communication.
Examples
~~~~~~~~
Example of IKE logging:
::
"ike": {
"version_major": 1,
"version_minor": 0,
"init_spi": "8511617bfea2f172",
"resp_spi": "c0fc6bae013de0f5",
"message_id": 0,
"exchange_type": 2,
"exchange_type_verbose": "Identity Protection",
"sa_life_type": "LifeTypeSeconds",
"sa_life_type_raw": 1,
"sa_life_duration": "Unknown",
"sa_life_duration_raw": 900,
"alg_enc": "EncAesCbc",
"alg_enc_raw": 7,
"alg_hash": "HashSha2_256",
"alg_hash_raw": 4,
"alg_auth": "AuthPreSharedKey",
"alg_auth_raw": 1,
"alg_dh": "GroupModp2048Bit",
"alg_dh_raw": 14,
"sa_key_length": "Unknown",
"sa_key_length_raw": 256,
"alg_esn": "NoESN",
"payload": [
"VendorID",
"Transform",
"Proposal",
"SecurityAssociation"
],
"ikev1": {
"doi": 1,
"encrypted_payloads": false,
"client": {
"key_exchange_payload": "0bf7907681a656aabed38fb1ba8918b10d707a8e635a...",
"key_exchange_payload_length": 256,
"nonce_payload": "1427d158fc1ed6bbbc1bd81e6b74960809c87d18af5f0abef14d5274ac232904",
"nonce_payload_length": 32,
"proposals": [
{
"sa_life_type": "LifeTypeSeconds",
"sa_life_type_raw": 1,
"sa_life_duration": "Unknown",
"sa_life_duration_raw": 900,
"alg_enc": "EncAesCbc",
"alg_enc_raw": 7,
"alg_hash": "HashSha2_256",
"alg_hash_raw": 4,
"alg_auth": "AuthPreSharedKey",
"alg_auth_raw": 1,
"alg_dh": "GroupModp2048Bit",
"alg_dh_raw": 14,
"sa_key_length": "Unknown",
"sa_key_length_raw": 256
}
]
},
"server": {
"key_exchange_payload": "1e43be52b088ec840ff81865074b6d459b5ca7813b46...",
"key_exchange_payload_length": 256,
"nonce_payload": "04d78293ead007bc1a0f0c6c821a3515286a935af12ca50e08905b15d6c8fcd4",
"nonce_payload_length": 32
},
"vendor_ids": [
"4048b7d56ebce88525e7de7f00d6c2d3",
"4a131c81070358455c5728f20e95452f",
"afcad71368a1f1c96b8696fc77570100",
"7d9419a65310ca6f2c179d9215529d56",
"cd60464335df21f87cfdb2fc68b6a448",
"90cb80913ebb696e086381b5ec427b1f"
]
},
}

155
doc/userguide/rules/ike-keywords.rst
Unescape Escape View File

@ -0,0 +1,155 @@
IKE Keywords
============
The keywords
* ``ike.init_spi``
* ``ike.resp_spi``
* ``ike.chosen_sa_attribute``
* ``ike.exchtype``
* ``ike.vendor``
* ``ike.key_exchange_payload``
* ``ike.key_exchange_payload_length``
* ``ike.nonce_payload``
* ``ike.nonce_payload_length``
can be used for matching on various properties of IKE connections.
ike.init_spi, ike.resp_spi
--------------------------
Match on an exact value of the Security Parameter Index (SPI) for the Initiator or Responder.
Examples::
ike.init_spi; content:"18fe9b731f9f8034";
ike.resp_spi; content:"a00b8ef0902bb8ec";
``ike.init_spi`` and ``ike.resp_spi`` are 'sticky buffer'.
``ike.init_spi`` and ``ike.resp_spi`` can be used as ``fast_pattern``.
ike.chosen_sa_attribute
-----------------------
Match on an attribute value of the chosen Security Association (SA) by the Responder. Supported for IKEv1 are:
``alg_enc``,
``alg_hash``,
``alg_auth``,
``alg_dh``,
``alg_prf``,
``sa_group_type``,
``sa_life_type``,
``sa_life_duration``,
``sa_key_length`` and
``sa_field_size``.
IKEv2 supports ``alg_enc``, ``alg_auth``, ``alg_prf`` and ``alg_dh``.
Examples::
ike.chosen_sa_attribute:alg_hash=2;
ike.chosen_sa_attribute:sa_key_length=128;
ike.exchtype
------------
Match on the value of the Exchange Type.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (range)
Examples::
ike.exchtype:5;
ike.exchtype:>=2;
ike.vendor
----------
Match a vendor ID against the list of collected vendor IDs.
Examples::
ike.vendor:4a131c81070358455c5728f20e95452f;
ike.key_exchange_payload
------------------------
Match against the public key exchange payload (e.g. Diffie-Hellman) of the server or client.
Examples::
ike.key_exchange_payload; content:"|6d026d5616c45be05e5b898411e9|"
``ike.key_exchange_payload`` is a 'sticky buffer'.
``ike.key_exchange_payload`` can be used as ``fast_pattern``.
ike.key_exchange_payload_length
-------------------------------
Match against the length of the public key exchange payload (e.g. Diffie-Hellman) of the server or client.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (range)
Examples::
ike.key_exchange_payload_length:>132
ike.nonce_payload
-----------------
Match against the nonce of the server or client.
Examples::
ike.nonce_payload; content:"|6d026d5616c45be05e5b898411e9|"
``ike.nonce_payload`` is a 'sticky buffer'.
``ike.nonce_payload`` can be used as ``fast_pattern``.
ike.nonce_payload_length
------------------------
Match against the length of the nonce of the server or client.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (range)
Examples::
ike.nonce_payload_length:132
ike.nonce_payload_length:>132
Additional information
----------------------
More information on the protocol and the data contained in it can be found here:
`<https://tools.ietf.org/html/rfc2409>`_

1
doc/userguide/rules/index.rst
Unescape Escape View File

@ -27,6 +27,7 @@ Suricata Rules
sip-keywords
rfb-keywords
mqtt-keywords
ike-keywords
http2-keywords
app-layer
xbits

5
doc/userguide/upgrade.rst
Unescape Escape View File

@ -54,6 +54,11 @@ Removals
if this behavior is still required. See :ref:`multiple-eve-instances`.
- Unified2 has been removed. See :ref:`unified2-removed`.
Logging changes
~~~~~~~~~~~~~~~
- IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
``ike.ikev2.errors`` and ``ike.ikev2.notify``.
Upgrading 4.1 to 5.0
--------------------

Write Preview
Loading…
Cancel
Save