diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index f1315f8c85..61e6e438db 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -12,7 +12,7 @@ export { ## Time when the SSL connection was first detected. ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; ## SSL/TLS version that the server offered. @@ -25,7 +25,20 @@ export { ## indicates the server name that the client was requesting. server_name: string &log &optional; ## Session ID offered by the client for session resumption. - session_id: string &log &optional; + ## Not used for logging. + session_id: string &optional; + ## Flag to indicate if the session was resumed and re-used + ## the key material exchanged in an earlier connection. + resumed: bool &log &default=F; + ## Flag to indicate if we saw a non-empty session ticket being + ## sent by the client using an empty session ID. This value + ## is used to determine if a session is being resumed and is + ## not logged + client_ticket_empty_session_seen: bool &default=F; + ## Flag to indicate if we saw a client key exchange message sent + ## by the client. This value is used to determine if a session + ## is being resumed and is not logged. + client_key_exchange_seen: bool &default=F; ## Last alert that was seen during the connection. last_alert: string &log &optional; @@ -36,11 +49,11 @@ export { ## Flag to indicate if this ssl session has been established ## succesfully, or if it was aborted during the handshake. - established: bool &log &default=F; + established: bool &log &default=F; ## Flag to indicate if this record already has been logged, to ## prevent duplicates. - logged: bool &default=F; + logged: bool &default=F; }; ## The default root CA bundle. By default, the mozilla-ca-list.bro @@ -149,8 +162,11 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_ set_session(c); # Save the session_id if there is one set. - if ( session_id != /^\x00{32}$/ ) + if ( |session_id| > 0 && session_id != /^\x00{32}$/ ) + { c$ssl$session_id = bytestring_to_hexstr(session_id); + c$ssl$client_ticket_empty_session_seen = F; + } } event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 @@ -159,6 +175,9 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_ c$ssl$version = version_strings[version]; c$ssl$cipher = cipher_desc[cipher]; + + if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) ) + c$ssl$resumed = T; } event ssl_server_curve(c: connection, curve: count) &priority=5 @@ -180,6 +199,34 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) } } +event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5 + { + set_session(c); + + if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE ) + c$ssl$client_key_exchange_seen = T; + } + +# extension event is fired _before_ the respective client or server hello. +# Important for client_ticket_empty_session_seen +event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5 + { + set_session(c); + + if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 ) + # in this case, we might have an empty ID. Set back to F in client_hello event + # if it is not empty after all + c$ssl$client_ticket_empty_session_seen = T; + } + +event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5 + { + set_session(c); + + if ( is_orig && c$ssl$client_ticket_empty_session_seen && !c$ssl$client_key_exchange_seen ) + c$ssl$resumed = T; + } + event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5 { set_session(c);