...
Snort3 crash on FTD running 7.2.1, after processing a client hello packet like below: Decoded Packet - (Type - 1) Packet (Length: 635) Layer ETH: Destination: 00:50:56:aa:aa:aa Address: 00:50:56:bb:bb:bb .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 00:50:56:aa:aa:aa Type: IPv4 (0x0800) Address: 00:50:56:bb:bb:bb .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Layer IP: 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 621 Identification: 0xf95d (63837) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0xb26f [validation disabled] Header checksum status: Unverified Source: 10.1.1.1 Destination: 153.1.19.1 Layer TCP: Source Port: 58501 Destination Port: 443 Stream index: 0 TCP Segment Len: 581 Sequence number: 1 (relative sequence number) Next sequence number: 582 (relative sequence number) Acknowledgment number: 1 (relative ack number) 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7AP\xc2\xb7\xc2\xb7\xc2\xb7 Window size value: 1023 Calculated window size: 1023 Window size scaling factor: -1 (unknown) Checksum: 0x0000 [unverified] Checksum Status: Unverified Urgent pointer: 0 SEQ/ACK analysis Bytes in flight: 581 Bytes sent since last PSH flag: 581 Timestamps Time since first frame in this TCP stream: 0.000000000 seconds Time since previous frame in this TCP stream: 0.000000000 seconds TCP payload (581 bytes) Layer SSL: TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 576 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 572 Version: TLS 1.2 (0x0303) Random: 83dbe35e73d64d277f427f03ecc367a5628f7fb3b6c5e82a... GMT Unix Time: Feb 7, 2040 11:11:26.000000000 UTC Random Bytes: 73d64d277f427f03ecc367a5628f7fb3b6c5e82a2204b8e0... Session ID Length: 32 Session ID: b6c4764449a6fe5da8ad2520ac657e21d821ee9a0fddf740... Cipher Suites Length: 44 Cipher Suites (22 suites) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 455 Extension: server_name (len=27) Type: server_name (0) Length: 27 Server Name list length: 25 Server Name Type: host_name (0) Server Name length: 22 Server Name: az667904.vo.msecnd.net Supported Versions length: 8 Supported Version: TLS 1.3 (0x0304) Signature Hash Algorithms Length: 24 Signature Hash Algorithms (12 algorithms) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (4) Data (0 bytes) Supported Groups List Length: 6 Supported Groups (3 groups) Supported Group: x25519 (0x001d) Client Key Share Length: 69 Group: secp256r1 (23) Key Exchange Length: 65 Key Exchange: 0454d6edd468e28c8190e508d09eea67e882bf3bad46b149... Renegotiation info extension length: 0 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Identities Length: 214 Identity Length: 208 Identity: 29db241ec9d9c8a74012673e9c2d166758ebdfdfd9e06211... Obfuscated Ticket Age: 1117342541 PSK Binders length: 49 PSK Binders Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Server Name Indication extension Extension: supported_versions (len=9) Extension: signature_algorithms (len=26) Extension: SessionTicket TLS (len=0) Extension: supported_groups (len=8) Extension: key_share (len=71) Key Share extension Key Share Entry: Group: secp256r1, Key Exchange length: 65 Extension: post_handshake_auth (len=0) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Renegotiation Info extension Extension: psk_key_exchange_modes (len=2) Extension: pre_shared_key (len=267) Pre-Shared Key extension PSK Identity (length: 208) Type: supported_versions (43) Type: signature_algorithms (13) Type: SessionTicket TLS (35) Type: supported_groups (10) Type: key_share (51) Type: post_handshake_auth (49) Type: extended_master_secret (23) Type: renegotiation_info (65281) Type: psk_key_exchange_modes (45) Type: pre_shared_key (41) Length: 9 Length: 26 Length: 0 Length: 8 Length: 71 Length: 0 Length: 0 Length: 1 Length: 2 Length: 267 Supported Version: TLS 1.2 (0x0303) Supported Version: TLS 1.1 (0x0302) Supported Version: TLS 1.0 (0x0301) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: ecdsa_sha1 (0x0203) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: Unknown (5) Signature Hash Algorithm Signature: Unknown (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: ECDSA (3) Supported Group: secp256r1 (0x0017) Supported Group: secp384r1 (0x0018)
SSL inspection needs to be enabled along with Snot3 as the IPS engine
None know at this point
NA
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.