Impact
Invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic.
Patches
This issue has been addressed in 7.0.7.
Workarounds
JA4 is used in TLS and QUIC, and each is handled separately.
TLS
JA4 for TLS can be disabled in the tls section of the app-layer configuration by setting ja4-fingerprints to false (default: auto). For example:
app-layer:
tls:
ja4-fingerprints: falseQuic
Quic does not have a JA4 feature flag and it is always enabled, so the recommendation is to disable Quic until Suricata can be updated, for example:
app-layer:
quic:
enabled: falseReferences
https://redmine.openinfosecfoundation.org/issues/7267
Credits
Found by OSS-fuzz.
Impact
Invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic.
Patches
This issue has been addressed in 7.0.7.
Workarounds
JA4 is used in TLS and QUIC, and each is handled separately.
TLS
JA4 for TLS can be disabled in the
tlssection of theapp-layerconfiguration by settingja4-fingerprintstofalse(default:auto). For example:Quic
Quic does not have a JA4 feature flag and it is always enabled, so the recommendation is to disable Quic until Suricata can be updated, for example:
References
https://redmine.openinfosecfoundation.org/issues/7267
Credits
Found by OSS-fuzz.