mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/johanna/tls13-details'
* origin/topic/johanna/tls13-details: Update SSL documentation. support the newer TLS 1.3 key_share extension. Include all data of the server-hello random Parse pre-shared-key extension. Added a small portability fix for the gmt_unix_time byte-swapping.
This commit is contained in:
Jon Siwek
commit
05a58f90a2
24 changed files with 368 additions and 52 deletions
18
CHANGES
18
CHANGES
|
|
@ -1,4 +1,22 @@
|
||||||
|
|
||||||
|
2.6-399 | 2019-06-07 14:02:18 -0700
|
||||||
|
|
||||||
|
* Update SSL documentation. (Johanna Amann)
|
||||||
|
|
||||||
|
* Support the newer TLS 1.3 key_share extension. (Johanna Amann)
|
||||||
|
|
||||||
|
* Include all data of the server-hello random (Johanna Amann)
|
||||||
|
|
||||||
|
Before we cut the first 4 bytes, which makes it impossible to recognize
|
||||||
|
several newer packets (like the hello retry).
|
||||||
|
|
||||||
|
* Parse TLS 1.3 pre-shared-key extension. (Johanna Amann)
|
||||||
|
|
||||||
|
Adds new events:
|
||||||
|
|
||||||
|
- ssl_extension_pre_shared_key_client_hello
|
||||||
|
- ssl_extension_pre_shared_key_server_hello
|
||||||
|
|
||||||
2.6-391 | 2019-06-07 17:29:28 +1000
|
2.6-391 | 2019-06-07 17:29:28 +1000
|
||||||
|
|
||||||
* GH-209: replace "remote_ip" field of radius.log with "tunnel_client".
|
* GH-209: replace "remote_ip" field of radius.log with "tunnel_client".
|
||||||
|
|
|
||||||
10
NEWS
10
NEWS
|
|
@ -90,6 +90,10 @@ New Functionality
|
||||||
the Client Network Data (TS_UD_CS_NET) packet. The channel list is also
|
the Client Network Data (TS_UD_CS_NET) packet. The channel list is also
|
||||||
available in the new ``rdp_client_network_data`` event.
|
available in the new ``rdp_client_network_data`` event.
|
||||||
|
|
||||||
|
- Add parsing support for TLS 1.3 pre-shared key extension. This info
|
||||||
|
is available in the events: ``ssl_extension_pre_shared_key_client_hello``
|
||||||
|
and ``ssl_extension_pre_shared_key_server_hello``.
|
||||||
|
|
||||||
Changed Functionality
|
Changed Functionality
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
|
@ -255,6 +259,12 @@ Changed Functionality
|
||||||
reason for this is that the Tunnel-Client-Endpoint RADIUS attribute
|
reason for this is that the Tunnel-Client-Endpoint RADIUS attribute
|
||||||
this data is derived from may also be a FQDN, not just an IP address.
|
this data is derived from may also be a FQDN, not just an IP address.
|
||||||
|
|
||||||
|
- The ``ssl_server_hello`` event's ``server_random`` parameter has been
|
||||||
|
changed to always include the full 32-byte field from the
|
||||||
|
ServerHello. Previously a 4-byte timestamp and 28-byte random data
|
||||||
|
were parsed separately as some TLS protocol versions specified a
|
||||||
|
separate timestamp field as part of the full 32-byte random sequence.
|
||||||
|
|
||||||
Removed Functionality
|
Removed Functionality
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
2.6-391
|
2.6-399
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit bfefac3a882b382bfb7ad749974930884da954a6
|
Subproject commit e142a362b4c712699ac43494a245058948c085c8
|
||||||
2
doc
2
doc
|
|
@ -1 +1 @@
|
||||||
Subproject commit 7194cea467758da4c70be7779bf3ffedb799ce56
|
Subproject commit f8869ea5f72cda06d5acf0fbeefd5af102f7d77e
|
||||||
|
|
@ -4140,6 +4140,10 @@ export {
|
||||||
SignatureAlgorithm: count; ##< Signature algorithm number
|
SignatureAlgorithm: count; ##< Signature algorithm number
|
||||||
};
|
};
|
||||||
|
|
||||||
|
type PSKIdentity: record {
|
||||||
|
identity: string; ##< PSK identity
|
||||||
|
obfuscated_ticket_age: count;
|
||||||
|
};
|
||||||
|
|
||||||
## Number of non-DTLS frames that can occur in a DTLS connection before
|
## Number of non-DTLS frames that can occur in a DTLS connection before
|
||||||
## parsing of the connection is suspended.
|
## parsing of the connection is suspended.
|
||||||
|
|
@ -4161,6 +4165,8 @@ module GLOBAL;
|
||||||
## directly and then remove this alias.
|
## directly and then remove this alias.
|
||||||
type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
|
type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
|
||||||
|
|
||||||
|
type psk_identity_vec: vector of SSL::PSKIdentity;
|
||||||
|
|
||||||
module X509;
|
module X509;
|
||||||
export {
|
export {
|
||||||
type Certificate: record {
|
type Certificate: record {
|
||||||
|
|
|
||||||
|
|
@ -56,13 +56,15 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
|
||||||
##
|
##
|
||||||
## possible_ts: The current time as sent by the server. Note that SSL/TLS does
|
## possible_ts: The current time as sent by the server. Note that SSL/TLS does
|
||||||
## not require clocks to be set correctly, so treat with care. This value
|
## not require clocks to be set correctly, so treat with care. This value
|
||||||
## is not sent in TLSv1.3.
|
## is meaningless in SSLv2 and TLSv1.3.
|
||||||
##
|
##
|
||||||
## session_id: The session ID as sent back by the server (if any). This value is not
|
## session_id: The session ID as sent back by the server (if any). This value is not
|
||||||
## sent in TLSv1.3.
|
## sent in TLSv1.3.
|
||||||
##
|
##
|
||||||
## server_random: The random value sent by the server. For version 2 connections,
|
## server_random: The random value sent by the server. For version 2 connections,
|
||||||
## the connection-id is returned.
|
## the connection-id is returned. Note - the full 32 bytes are included in
|
||||||
|
## server_random. This means that the 4 bytes present in possible_ts are repeated;
|
||||||
|
## if you do not want this behavior ignore the first 4 bytes.
|
||||||
##
|
##
|
||||||
## cipher: The cipher chosen by the server. The values are standardized as part
|
## cipher: The cipher chosen by the server. The values are standardized as part
|
||||||
## of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps
|
## of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps
|
||||||
|
|
@ -101,6 +103,7 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
|
||||||
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||||
## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
|
## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
|
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
|
||||||
|
|
||||||
## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
|
## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
|
||||||
|
|
@ -120,6 +123,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
|
||||||
## ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
|
## ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
|
event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
|
||||||
|
|
||||||
## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
|
## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
|
||||||
|
|
@ -141,6 +145,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||||
## ssl_rsa_client_pms ssl_server_signature
|
## ssl_rsa_client_pms ssl_server_signature
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
|
event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
|
||||||
|
|
||||||
## Generated for an Signature Algorithms extension. This TLS extension
|
## Generated for an Signature Algorithms extension. This TLS extension
|
||||||
|
|
@ -161,6 +166,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||||
## ssl_rsa_client_pms ssl_server_signature
|
## ssl_rsa_client_pms ssl_server_signature
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
|
event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
|
||||||
|
|
||||||
## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
|
## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
|
||||||
|
|
@ -169,7 +175,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
|
||||||
##
|
##
|
||||||
## c: The connection.
|
## c: The connection.
|
||||||
##
|
##
|
||||||
## is_orig: True if event is raised for originator side of the connection.
|
## is_orig: True if event is raised for the originator side of the connection.
|
||||||
##
|
##
|
||||||
## curves: List of supported/chosen named groups.
|
## curves: List of supported/chosen named groups.
|
||||||
##
|
##
|
||||||
|
|
@ -180,8 +186,49 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||||
## ssl_rsa_client_pms ssl_server_signature
|
## ssl_rsa_client_pms ssl_server_signature
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
|
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
|
||||||
|
|
||||||
|
## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
|
||||||
|
##
|
||||||
|
## The extension lists the identities the client is willing to negotiate with the server;
|
||||||
|
## they can either be pre-shared or be based on previous handshakes.
|
||||||
|
##
|
||||||
|
## c: The connection.
|
||||||
|
##
|
||||||
|
## is_orig: True if event is raised for the originator side of the connection
|
||||||
|
##
|
||||||
|
## identities: A list of the identities the client is willing to negotiate with the server.
|
||||||
|
##
|
||||||
|
## binders: A series of HMAC values; for computation, see the TLS 1.3 RFC.
|
||||||
|
##
|
||||||
|
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
|
||||||
|
## ssl_session_ticket_handshake ssl_extension
|
||||||
|
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||||
|
## ssl_extension_server_name
|
||||||
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
|
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||||
|
## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
|
||||||
|
event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%);
|
||||||
|
|
||||||
|
## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
|
||||||
|
##
|
||||||
|
## c: The connection.
|
||||||
|
##
|
||||||
|
## is_orig: True if event is raised for the originator side of the connection
|
||||||
|
##
|
||||||
|
## selected_identity: The identity the server chose as a 0-based index into the identities
|
||||||
|
## the client sent.
|
||||||
|
##
|
||||||
|
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
|
||||||
|
## ssl_session_ticket_handshake ssl_extension
|
||||||
|
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||||
|
## ssl_extension_server_name
|
||||||
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
|
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||||
|
## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
|
||||||
|
event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%);
|
||||||
|
|
||||||
## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
|
## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
|
||||||
## This event contains the named curve name and the server ECDH parameters contained
|
## This event contains the named curve name and the server ECDH parameters contained
|
||||||
## in the ServerKeyExchange message as defined in :rfc:`4492`.
|
## in the ServerKeyExchange message as defined in :rfc:`4492`.
|
||||||
|
|
@ -295,6 +342,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
|
||||||
## ssl_extension_server_name ssl_extension_key_share
|
## ssl_extension_server_name ssl_extension_key_share
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_extension_signed_certificate_timestamp
|
## ssl_extension_signed_certificate_timestamp
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
|
event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
|
||||||
|
|
||||||
## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
|
## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
|
||||||
|
|
@ -316,6 +364,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
|
||||||
## ssl_extension_key_share
|
## ssl_extension_key_share
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_extension_signed_certificate_timestamp
|
## ssl_extension_signed_certificate_timestamp
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
|
event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
|
||||||
|
|
||||||
## Generated for the signed_certificate_timestamp TLS extension as defined in
|
## Generated for the signed_certificate_timestamp TLS extension as defined in
|
||||||
|
|
@ -346,6 +395,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||||
## ssl_extension_application_layer_protocol_negotiation
|
## ssl_extension_application_layer_protocol_negotiation
|
||||||
## x509_ocsp_ext_signed_certificate_timestamp sct_verify
|
## x509_ocsp_ext_signed_certificate_timestamp sct_verify
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
|
event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
|
||||||
|
|
||||||
## Generated for an TLS Supported Versions extension. This TLS extension
|
## Generated for an TLS Supported Versions extension. This TLS extension
|
||||||
|
|
@ -365,6 +415,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
|
||||||
## ssl_extension_application_layer_protocol_negotiation
|
## ssl_extension_application_layer_protocol_negotiation
|
||||||
## ssl_extension_key_share ssl_extension_server_name
|
## ssl_extension_key_share ssl_extension_server_name
|
||||||
## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
|
## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
|
event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
|
||||||
|
|
||||||
## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
|
## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
|
||||||
|
|
@ -382,6 +433,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
|
||||||
## ssl_extension_application_layer_protocol_negotiation
|
## ssl_extension_application_layer_protocol_negotiation
|
||||||
## ssl_extension_key_share ssl_extension_server_name
|
## ssl_extension_key_share ssl_extension_server_name
|
||||||
## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
|
## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
|
||||||
|
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
|
||||||
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
|
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
|
||||||
|
|
||||||
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
|
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
function proc_server_hello(
|
function proc_server_hello(
|
||||||
version : uint16, ts : double,
|
version : uint16, v2 : bool,
|
||||||
server_random : bytestring,
|
server_random : bytestring,
|
||||||
session_id : uint8[],
|
session_id : uint8[],
|
||||||
cipher_suites16 : uint16[],
|
cipher_suites16 : uint16[],
|
||||||
|
|
@ -21,6 +21,10 @@
|
||||||
else
|
else
|
||||||
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int());
|
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int());
|
||||||
|
|
||||||
|
uint32 ts = 0;
|
||||||
|
if ( v2 == 0 && server_random.length() >= 4 )
|
||||||
|
ts = ntohl(*((uint32*)server_random.data()));
|
||||||
|
|
||||||
BifEvent::generate_ssl_server_hello(bro_analyzer(),
|
BifEvent::generate_ssl_server_hello(bro_analyzer(),
|
||||||
bro_analyzer()->Conn(),
|
bro_analyzer()->Conn(),
|
||||||
version, record_version(), ts, new StringVal(server_random.length(),
|
version, record_version(), ts, new StringVal(server_random.length(),
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ refine typeattr V2ClientHello += &let {
|
||||||
refine typeattr V2ServerHello += &let {
|
refine typeattr V2ServerHello += &let {
|
||||||
check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version);
|
check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version);
|
||||||
|
|
||||||
proc : bool = $context.connection.proc_server_hello(server_version, 0,
|
proc : bool = $context.connection.proc_server_hello(server_version, 1,
|
||||||
conn_id_data, 0, 0, ciphers, 0) &requires(check_v2) &if(check_v2 == true);
|
conn_id_data, 0, 0, ciphers, 0) &requires(check_v2) &if(check_v2 == true);
|
||||||
|
|
||||||
cert : bool = $context.connection.proc_v2_certificate(rec.is_orig, cert_data)
|
cert : bool = $context.connection.proc_v2_certificate(rec.is_orig, cert_data)
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ enum SSLExtensions {
|
||||||
EXT_STATUS_REQUEST_V2 = 17,
|
EXT_STATUS_REQUEST_V2 = 17,
|
||||||
EXT_SIGNED_CERTIFICATE_TIMESTAMP = 18,
|
EXT_SIGNED_CERTIFICATE_TIMESTAMP = 18,
|
||||||
EXT_SESSIONTICKET_TLS = 35,
|
EXT_SESSIONTICKET_TLS = 35,
|
||||||
EXT_KEY_SHARE = 40,
|
EXT_KEY_SHARE_OLD = 40,
|
||||||
EXT_PRE_SHARED_KEY = 41,
|
EXT_PRE_SHARED_KEY = 41,
|
||||||
EXT_EARLY_DATA = 42,
|
EXT_EARLY_DATA = 42,
|
||||||
EXT_SUPPORTED_VERSIONS = 43,
|
EXT_SUPPORTED_VERSIONS = 43,
|
||||||
|
|
@ -154,6 +154,7 @@ enum SSLExtensions {
|
||||||
EXT_TICKET_EARLY_DATA_INFO = 46,
|
EXT_TICKET_EARLY_DATA_INFO = 46,
|
||||||
EXT_CERTIFICATE_AUTHORITIES = 47,
|
EXT_CERTIFICATE_AUTHORITIES = 47,
|
||||||
EXT_OID_FILTERS = 48,
|
EXT_OID_FILTERS = 48,
|
||||||
|
EXT_KEY_SHARE = 51,
|
||||||
EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
|
EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
|
||||||
EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
|
EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
|
||||||
EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
|
EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
|
||||||
|
|
|
||||||
|
|
@ -138,6 +138,18 @@ refine connection Handshake_Conn += {
|
||||||
return true;
|
return true;
|
||||||
%}
|
%}
|
||||||
|
|
||||||
|
function proc_hello_retry_request_key_share(rec: HandshakeRecord, namedgroup: uint16) : bool
|
||||||
|
%{
|
||||||
|
if ( ! ssl_extension_key_share )
|
||||||
|
return true;
|
||||||
|
|
||||||
|
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
|
||||||
|
|
||||||
|
nglist->Assign(0u, val_mgr->GetCount(namedgroup));
|
||||||
|
BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
|
||||||
|
return true;
|
||||||
|
%}
|
||||||
|
|
||||||
function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
|
function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
|
||||||
%{
|
%{
|
||||||
if ( ! ssl_extension_signature_algorithm )
|
if ( ! ssl_extension_signature_algorithm )
|
||||||
|
|
@ -459,6 +471,48 @@ refine connection Handshake_Conn += {
|
||||||
return true;
|
return true;
|
||||||
%}
|
%}
|
||||||
|
|
||||||
|
function proc_pre_shared_key_server_hello(rec: HandshakeRecord, identities: PSKIdentitiesList, binders: PSKBindersList) : bool
|
||||||
|
%{
|
||||||
|
if ( ! ssl_extension_pre_shared_key_server_hello )
|
||||||
|
return true;
|
||||||
|
|
||||||
|
VectorVal* slist = new VectorVal(internal_type("psk_identity_vec")->AsVectorType());
|
||||||
|
|
||||||
|
if ( identities && identities->identities() )
|
||||||
|
{
|
||||||
|
for ( auto&& identity : *(identities->identities()) )
|
||||||
|
{
|
||||||
|
RecordVal* el = new RecordVal(BifType::Record::SSL::PSKIdentity);
|
||||||
|
el->Assign(0, new StringVal(identity->identity().length(), (const char*) identity->identity().data()));
|
||||||
|
el->Assign(1, val_mgr->GetCount(identity->obfuscated_ticket_age()));
|
||||||
|
slist->Assign(slist->Size(), el);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VectorVal* blist = new VectorVal(internal_type("string_vec")->AsVectorType());
|
||||||
|
if ( binders && binders->binders() )
|
||||||
|
{
|
||||||
|
for ( auto&& binder : *(binders->binders()) )
|
||||||
|
blist->Assign(blist->Size(), new StringVal(binder->binder().length(), (const char*) binder->binder().data()));
|
||||||
|
}
|
||||||
|
|
||||||
|
BifEvent::generate_ssl_extension_pre_shared_key_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
|
||||||
|
${rec.is_orig}, slist, blist);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
%}
|
||||||
|
|
||||||
|
function proc_pre_shared_key_client_hello(rec: HandshakeRecord, selected_identity: uint16) : bool
|
||||||
|
%{
|
||||||
|
if ( ! ssl_extension_pre_shared_key_client_hello )
|
||||||
|
return true;
|
||||||
|
|
||||||
|
BifEvent::generate_ssl_extension_pre_shared_key_server_hello(bro_analyzer(),
|
||||||
|
bro_analyzer()->Conn(), ${rec.is_orig}, selected_identity);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
%}
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
refine typeattr ClientHello += &let {
|
refine typeattr ClientHello += &let {
|
||||||
|
|
@ -469,7 +523,7 @@ refine typeattr ClientHello += &let {
|
||||||
|
|
||||||
refine typeattr ServerHello += &let {
|
refine typeattr ServerHello += &let {
|
||||||
proc : bool = $context.connection.proc_server_hello(server_version,
|
proc : bool = $context.connection.proc_server_hello(server_version,
|
||||||
gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
|
0, random_bytes, session_id, cipher_suite, 0,
|
||||||
compression_method);
|
compression_method);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -508,6 +562,10 @@ refine typeattr ServerHelloKeyShare += &let {
|
||||||
proc : bool = $context.connection.proc_server_key_share(rec, keyshare);
|
proc : bool = $context.connection.proc_server_key_share(rec, keyshare);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
refine typeattr HelloRetryRequestKeyShare += &let {
|
||||||
|
proc : bool = $context.connection.proc_hello_retry_request_key_share(rec, namedgroup);
|
||||||
|
};
|
||||||
|
|
||||||
refine typeattr ClientHelloKeyShare += &let {
|
refine typeattr ClientHelloKeyShare += &let {
|
||||||
proc : bool = $context.connection.proc_client_key_share(rec, keyshares);
|
proc : bool = $context.connection.proc_client_key_share(rec, keyshares);
|
||||||
};
|
};
|
||||||
|
|
@ -568,6 +626,14 @@ refine typeattr PSKKeyExchangeModes += &let {
|
||||||
proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
|
proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
refine typeattr OfferedPsks += &let {
|
||||||
|
proc : bool = $context.connection.proc_pre_shared_key_server_hello(rec, identities, binders);
|
||||||
|
};
|
||||||
|
|
||||||
|
refine typeattr SelectedPreSharedKeyIdentity += &let {
|
||||||
|
proc : bool = $context.connection.proc_pre_shared_key_client_hello(rec, selected_identity);
|
||||||
|
};
|
||||||
|
|
||||||
refine typeattr Handshake += &let {
|
refine typeattr Handshake += &let {
|
||||||
proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
|
proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -116,8 +116,7 @@ type ServerHelloChoice(rec: HandshakeRecord) = record {
|
||||||
};
|
};
|
||||||
|
|
||||||
type ServerHello(rec: HandshakeRecord, server_version: uint16) = record {
|
type ServerHello(rec: HandshakeRecord, server_version: uint16) = record {
|
||||||
gmt_unix_time : uint32;
|
random_bytes : bytestring &length = 32;
|
||||||
random_bytes : bytestring &length = 28;
|
|
||||||
session_len : uint8;
|
session_len : uint8;
|
||||||
session_id : uint8[session_len];
|
session_id : uint8[session_len];
|
||||||
cipher_suite : uint16[1];
|
cipher_suite : uint16[1];
|
||||||
|
|
@ -775,9 +774,11 @@ type SSLExtension(rec: HandshakeRecord) = record {
|
||||||
EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
|
EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
|
||||||
EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
|
EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
|
||||||
EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
|
EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
|
||||||
EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
|
EXT_KEY_SHARE -> key_share: KeyShare(rec, this)[] &until($element == 0 || $element != 0);
|
||||||
|
EXT_KEY_SHARE_OLD -> key_share_old: KeyShare(rec, this)[] &until($element == 0 || $element != 0);
|
||||||
EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
|
EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
|
||||||
EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
|
EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
|
||||||
|
EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0);
|
||||||
default -> data: bytestring &restofdata;
|
default -> data: bytestring &restofdata;
|
||||||
};
|
};
|
||||||
} &length=data_len+4 &exportsourcedata;
|
} &length=data_len+4 &exportsourcedata;
|
||||||
|
|
@ -852,14 +853,62 @@ type ServerHelloKeyShare(rec: HandshakeRecord) = record {
|
||||||
keyshare : KeyShareEntry;
|
keyshare : KeyShareEntry;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
type HelloRetryRequestKeyShare(rec: HandshakeRecord) = record {
|
||||||
|
namedgroup : uint16;
|
||||||
|
};
|
||||||
|
|
||||||
|
type ServerHelloKeyShareChoice(rec: HandshakeRecord, ext: SSLExtension) = case (ext.data_len) of {
|
||||||
|
2 -> hrr : HelloRetryRequestKeyShare(rec);
|
||||||
|
default -> server : ServerHelloKeyShare(rec);
|
||||||
|
};
|
||||||
|
|
||||||
type ClientHelloKeyShare(rec: HandshakeRecord) = record {
|
type ClientHelloKeyShare(rec: HandshakeRecord) = record {
|
||||||
length: uint16;
|
length: uint16;
|
||||||
keyshares : KeyShareEntry[] &until($input.length() == 0);
|
keyshares : KeyShareEntry[] &until($input.length() == 0);
|
||||||
|
} &length=(length+2);
|
||||||
|
|
||||||
|
type KeyShare(rec: HandshakeRecord, ext: SSLExtension) = case rec.msg_type of {
|
||||||
|
CLIENT_HELLO -> client_hello_keyshare : ClientHelloKeyShare(rec);
|
||||||
|
SERVER_HELLO -> server_hello_keyshare : ServerHelloKeyShareChoice(rec, ext);
|
||||||
|
# in old traces, theoretically hello retry requests might show up as a separate type here.
|
||||||
|
# If this happens, just ignore the extension - we do not have any example traffic for this.
|
||||||
|
# And it will not happen in anything speaking TLS 1.3, or not completely ancient drafts of it.
|
||||||
|
default -> other : bytestring &restofdata &transient;
|
||||||
};
|
};
|
||||||
|
|
||||||
type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
|
type SelectedPreSharedKeyIdentity(rec: HandshakeRecord) = record {
|
||||||
CLIENT_HELLO -> client_hello_keyshare : ClientHelloKeyShare(rec);
|
selected_identity: uint16;
|
||||||
SERVER_HELLO -> server_hello_keyshare : ServerHelloKeyShare(rec);
|
};
|
||||||
|
|
||||||
|
type PSKIdentity() = record {
|
||||||
|
length: uint16;
|
||||||
|
identity: bytestring &length=length;
|
||||||
|
obfuscated_ticket_age: uint32;
|
||||||
|
};
|
||||||
|
|
||||||
|
type PSKIdentitiesList() = record {
|
||||||
|
length: uint16;
|
||||||
|
identities: PSKIdentity[] &until($input.length() == 0);
|
||||||
|
} &length=length+2;
|
||||||
|
|
||||||
|
type PSKBinder() = record {
|
||||||
|
length: uint8;
|
||||||
|
binder: bytestring &length=length;
|
||||||
|
};
|
||||||
|
|
||||||
|
type PSKBindersList() = record {
|
||||||
|
length: uint16;
|
||||||
|
binders: PSKBinder[] &until($input.length() == 0);
|
||||||
|
} &length=length+2;
|
||||||
|
|
||||||
|
type OfferedPsks(rec: HandshakeRecord) = record {
|
||||||
|
identities: PSKIdentitiesList;
|
||||||
|
binders: PSKBindersList;
|
||||||
|
};
|
||||||
|
|
||||||
|
type PreSharedKey(rec: HandshakeRecord) = case rec.msg_type of {
|
||||||
|
CLIENT_HELLO -> offered_psks : OfferedPsks(rec);
|
||||||
|
SERVER_HELLO -> selected_identity : SelectedPreSharedKeyIdentity(rec);
|
||||||
# ... well, we don't parse hello retry requests yet, because I don't have an example of them on the wire.
|
# ... well, we don't parse hello retry requests yet, because I don't have an example of them on the wire.
|
||||||
default -> other : bytestring &restofdata &transient;
|
default -> other : bytestring &restofdata &transient;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
module SSL;
|
module SSL;
|
||||||
|
|
||||||
type SignatureAndHashAlgorithm: record;
|
type SignatureAndHashAlgorithm: record;
|
||||||
|
type PSKIdentity: record;
|
||||||
|
|
||||||
module GLOBAL;
|
module GLOBAL;
|
||||||
|
|
|
||||||
|
|
@ -3,60 +3,60 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-08-27-22-38-51
|
#open 2019-04-29-19-23-03
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
||||||
1398558136.319509 CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - F - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - TLSv10 1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLSv12 5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322 bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b 02 af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac - 1 6 18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a c3d48226a8f94d3bbb49918ac02187493258e74e - 0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483 -
|
1398558136.319509 CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - F - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - TLSv10 1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLSv12 535c4db35c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322 bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b 02 af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac - 1 6 18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a c3d48226a8f94d3bbb49918ac02187493258e74e - 0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483 -
|
||||||
#close 2018-08-27-22-38-51
|
#close 2019-04-29-19-23-03
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-08-27-22-38-52
|
#open 2019-04-29-19-23-03
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
||||||
1398529018.678827 CHhAvVGS1DHFjwGM9 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - TLSv10 d170a048a025925479f1a573610851d30a1f3e7267836932797def95 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLSv12 5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c - - - 04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807 1 6 bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e e2fb0771ee6fc0d0e324bc863c02b57921257c86 - - 4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
|
1398529018.678827 CHhAvVGS1DHFjwGM9 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - TLSv10 d170a048a025925479f1a573610851d30a1f3e7267836932797def95 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLSv12 535bdbf95cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c - - - 04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807 1 6 bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e e2fb0771ee6fc0d0e324bc863c02b57921257c86 - - 4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
|
||||||
#close 2018-08-27-22-38-52
|
#close 2019-04-29-19-23-03
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-08-27-22-38-52
|
#open 2019-04-29-19-23-04
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
||||||
1170717505.549109 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2 (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - unknown-0 e6b8efdf91cf44f7eae43c83398fdcb2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLSv10 2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785 - -
|
1170717505.549109 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2 (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - unknown-0 e6b8efdf91cf44f7eae43c83398fdcb2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLSv10 45c7bb492b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785 - -
|
||||||
1170717508.697180 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - TLSv10 a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLSv10 0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9 - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52 - -
|
1170717508.697180 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - TLSv10 a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLSv10 45c7bb4c0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9 - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52 - -
|
||||||
1170717511.722913 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - TLSv10 240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLSv10 fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904 - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8 - -
|
1170717511.722913 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - TLSv10 240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLSv10 45c7bb4ffd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904 - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8 - -
|
||||||
#close 2018-08-27-22-38-52
|
#close 2019-04-29-19-23-04
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-08-27-22-38-53
|
#open 2019-04-29-19-23-05
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
||||||
1512072318.429417 CHhAvVGS1DHFjwGM9 192.168.17.58 62987 216.58.192.14 443 TLSv11 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA secp256r1 - F - - T F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - TLSv10 ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLSv11 0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71 - - - 04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb 256 256 72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a b453697b78df7c522c3e2bfc889b7fa6674903ca - - 4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
|
1512072318.429417 CHhAvVGS1DHFjwGM9 192.168.17.58 62987 216.58.192.14 443 TLSv11 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA secp256r1 - F - - T F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - TLSv10 ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLSv11 5a20647e0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71 - - - 04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb 256 256 72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a b453697b78df7c522c3e2bfc889b7fa6674903ca - - 4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
|
||||||
#close 2018-08-27-22-38-53
|
#close 2019-04-29-19-23-05
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-08-27-22-38-54
|
#open 2019-04-29-19-23-06
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
||||||
1425932016.520029 CHhAvVGS1DHFjwGM9 192.168.6.86 63721 104.236.167.107 4433 DTLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FZi2Ct2AcCswhiIjKe (empty) CN=bro CN=bro - - DTLSv10 543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV DTLSv10 e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2 - - - 043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef 256 256 17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39 fa6d780625219f5e1ae0b4c863e8321328241134 - - 4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
|
1425932016.520029 CHhAvVGS1DHFjwGM9 192.168.6.86 63721 104.236.167.107 4433 DTLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FZi2Ct2AcCswhiIjKe (empty) CN=bro CN=bro - - DTLSv10 543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV DTLSv10 54fdfee7e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2 - - - 043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef 256 256 17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39 fa6d780625219f5e1ae0b4c863e8321328241134 - - 4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
|
||||||
#close 2018-08-27-22-38-54
|
#close 2019-04-29-19-23-06
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-08-27-22-38-54
|
#open 2019-04-29-19-23-07
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_record_version client_random client_cipher_suites server_record_version server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string count count string string string string string
|
||||||
1512070268.982498 CHhAvVGS1DHFjwGM9 192.168.17.58 60934 165.227.57.17 4400 DTLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fox0Fc3MY8kLKfhNK6 (empty) O=Internet Widgits Pty Ltd,ST=Some-State,C=AU O=Internet Widgits Pty Ltd,ST=Some-State,C=AU - - DTLSv12 e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV DTLSv12 1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490 - - - 049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9 1 6 e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c 1cb43b5f1de3fe36d595da76210bbf5572a721be - - 41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
|
1512070268.982498 CHhAvVGS1DHFjwGM9 192.168.17.58 60934 165.227.57.17 4400 DTLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fox0Fc3MY8kLKfhNK6 (empty) O=Internet Widgits Pty Ltd,ST=Some-State,C=AU O=Internet Widgits Pty Ltd,ST=Some-State,C=AU - - DTLSv12 e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV DTLSv12 07c5aefa1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490 - - - 049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9 1 6 e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c 1cb43b5f1de3fe36d595da76210bbf5572a721be - - 41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
|
||||||
#close 2018-08-27-22-38-54
|
#close 2019-04-29-19-23-07
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
||||||
8\xd0U@\xf1\xaamI\xb5SE\x0b\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7\x04\x90
|
8\xd0U@\xf1\xaamI\xb5SE\x0b\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7\x04\x90
|
||||||
\xa7\x02\xf4'&\x05]|c\x83KN\xb0\x0e6F\xbez\xbb\x0ey\xbf\x0f\x85p\x83\x8dX
|
R\xc1\xf4\xef\xa7\x02\xf4'&\x05]|c\x83KN\xb0\x0e6F\xbez\xbb\x0ey\xbf\x0f\x85p\x83\x8dX
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ sha1, dsa
|
||||||
sha256, dsa
|
sha256, dsa
|
||||||
sha384, dsa
|
sha384, dsa
|
||||||
sha512, dsa
|
sha512, dsa
|
||||||
supported_versions(, 192.168.6.240, 139.162.123.134
|
supported_versions, 192.168.6.240, 139.162.123.134
|
||||||
TLSv13-draft19
|
TLSv13-draft19
|
||||||
TLSv12
|
TLSv12
|
||||||
TLSv11
|
TLSv11
|
||||||
|
|
@ -78,7 +78,7 @@ sha1, dsa
|
||||||
sha256, dsa
|
sha256, dsa
|
||||||
sha384, dsa
|
sha384, dsa
|
||||||
sha512, dsa
|
sha512, dsa
|
||||||
supported_versions(, 192.168.6.240, 139.162.123.134
|
supported_versions, 192.168.6.240, 139.162.123.134
|
||||||
TLSv13-draft19
|
TLSv13-draft19
|
||||||
TLSv12
|
TLSv12
|
||||||
TLSv11
|
TLSv11
|
||||||
|
|
@ -86,3 +86,50 @@ TLSv10
|
||||||
psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
|
psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
|
||||||
1
|
1
|
||||||
0
|
0
|
||||||
|
pre_shared_key client hello, 192.168.6.240, 139.162.123.134, [[identity=\x01\xf3\x88\x12\xae\xeb\x13\x01\xed]\xcf\x0b\x8f\xad\xf2\xc1I\x9f-\xfa\xe1\x98\x9f\xb7\x82@\x81Or\x0e\xbe\xfc\xa3\xbc\x8f\x03\x86\xf1\x8e\xae\xd7\xe5\xa2\xee\xf3\xde\xb7\xa5\xf6\\xeb\x18^ICPm!|\x09\xe0NE\xe8\x0f\xda\xf8\xf2\xa8s\x84\x17>\xe5\xd9!\x19\x09\xfe\xdb\xa87\x05\xd7\xd06JG\xeb\xad\xf9\xf8\x13?#\xdc\xe7J\xad\x14\xbfS.\x98\xd8\xd2r\x01\xef\xc5\x0c_\xdf\xc9[7\xa7l\xa7\xa0\xb5\xda\x83\x16\x10\xa1\xdb\xe2<j\xfeN=uU\xd3\xf3[\x021\xb1\xff\xcc\xbbZ\x1d\xab\x14=\xca\x80\x07!d\x06\xbe\xc6\x90\x94\x92S\xcfu\x8e\x92_/\xc9\xf0H\xf3\xd0\xfa\xeb\xb6&, obfuscated_ticket_age=1415540021]], [\xdcJ$\x00L\x12\x87\x929wEed\xbd\xf6\xcb4\x04ip5\x95\xe2X\xca[Kx}\xadHY\xae\xab\xedz\xb3\xcaK=\xa0\x09ER\x0a\x8dO\xe4]
|
||||||
|
pre_shared_key server hello, 192.168.6.240, 139.162.123.134, 0
|
||||||
|
Point formats, 192.168.178.80, 174.138.9.219, T
|
||||||
|
uncompressed
|
||||||
|
ansiX962_compressed_prime
|
||||||
|
ansiX962_compressed_char2
|
||||||
|
Curves, 192.168.178.80, 174.138.9.219
|
||||||
|
x25519
|
||||||
|
secp256r1
|
||||||
|
x448
|
||||||
|
secp521r1
|
||||||
|
secp384r1
|
||||||
|
signature_algorithm, 192.168.178.80, 174.138.9.219
|
||||||
|
sha256, ecdsa
|
||||||
|
sha384, ecdsa
|
||||||
|
sha512, ecdsa
|
||||||
|
Intrinsic, ed25519
|
||||||
|
Intrinsic, ed448
|
||||||
|
Intrinsic, rsa_pss_sha256
|
||||||
|
Intrinsic, rsa_pss_sha384
|
||||||
|
Intrinsic, rsa_pss_sha512
|
||||||
|
Intrinsic, rsa_pss_sha256
|
||||||
|
Intrinsic, rsa_pss_sha384
|
||||||
|
Intrinsic, rsa_pss_sha512
|
||||||
|
sha256, rsa
|
||||||
|
sha384, rsa
|
||||||
|
sha512, rsa
|
||||||
|
sha224, ecdsa
|
||||||
|
sha1, ecdsa
|
||||||
|
sha224, rsa
|
||||||
|
sha1, rsa
|
||||||
|
sha224, dsa
|
||||||
|
sha1, dsa
|
||||||
|
sha256, dsa
|
||||||
|
sha384, dsa
|
||||||
|
sha512, dsa
|
||||||
|
supported_versions, 192.168.178.80, 174.138.9.219
|
||||||
|
TLSv13
|
||||||
|
TLSv12
|
||||||
|
TLSv11
|
||||||
|
TLSv10
|
||||||
|
psk_key_exchange_modes, 192.168.178.80, 174.138.9.219
|
||||||
|
1
|
||||||
|
pre_shared_key client hello, 192.168.178.80, 174.138.9.219, [[identity=Client_identity, obfuscated_ticket_age=0]], [\xdbm7\xb6\xb9\xa3\xb29C\xb5\xa3\xa4\8\x95\x94o\x8d'\xd7\x99\x91R\xea\xcb\xa82\x9cb$e\xe9]
|
||||||
|
supported_versions, 192.168.178.80, 174.138.9.219
|
||||||
|
TLSv13
|
||||||
|
pre_shared_key server hello, 192.168.178.80, 174.138.9.219, 0
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2018-03-27-21-57-37
|
#open 2019-06-03-04-39-51
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
1520820013.621497 CHhAvVGS1DHFjwGM9 192.168.86.23 63449 52.32.149.186 443 TLSv13-draft23 TLS_AES_128_GCM_SHA256 - tls13.crypto.mozilla.org T - - T - - - - - -
|
1520820013.621497 CHhAvVGS1DHFjwGM9 192.168.86.23 63449 52.32.149.186 443 TLSv13-draft23 TLS_AES_128_GCM_SHA256 x25519 tls13.crypto.mozilla.org T - - T - - - - - -
|
||||||
#close 2018-03-27-21-57-37
|
#close 2019-06-03-04-39-51
|
||||||
|
|
|
||||||
|
|
@ -54,3 +54,30 @@ encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
|
||||||
|
x25519
|
||||||
|
client, TLSv10, TLSv12
|
||||||
|
key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F
|
||||||
|
x25519
|
||||||
|
server, TLSv12, TLSv12
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
|
||||||
|
established, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp]
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
|
||||||
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
|
||||||
|
secp224r1
|
||||||
|
client, TLSv10, TLSv12
|
||||||
|
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
|
||||||
|
secp256r1
|
||||||
|
server, TLSv12, TLSv12
|
||||||
|
established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 22
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 22
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
|
|
||||||
|
|
@ -3,42 +3,62 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2016-10-07-19-21-58
|
#open 2019-06-03-04-33-19
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
1475791805.525848 ClEkJM2Vm5giqnMf4h 192.168.6.203 53227 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
1475791805.525848 ClEkJM2Vm5giqnMf4h 192.168.6.203 53227 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
||||||
1475791805.468951 CHhAvVGS1DHFjwGM9 192.168.6.203 53226 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
1475791805.468951 CHhAvVGS1DHFjwGM9 192.168.6.203 53226 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
||||||
#close 2016-10-07-19-21-58
|
#close 2019-06-03-04-33-19
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2016-10-07-19-21-59
|
#open 2019-06-03-04-33-20
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
1475794630.046060 CHhAvVGS1DHFjwGM9 192.168.6.203 53994 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - F - - - - - -
|
1475794630.046060 CHhAvVGS1DHFjwGM9 192.168.6.203 53994 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - F - - - - - -
|
||||||
1475794635.195006 ClEkJM2Vm5giqnMf4h 192.168.6.203 53996 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - T - - - - - -
|
1475794635.195006 ClEkJM2Vm5giqnMf4h 192.168.6.203 53996 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - T - - - - - -
|
||||||
#close 2016-10-07-19-21-59
|
#close 2019-06-03-04-33-20
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2016-10-07-19-22-00
|
#open 2019-06-03-04-33-20
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
1475787575.867992 CHhAvVGS1DHFjwGM9 192.150.187.20 54980 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
1475787575.867992 CHhAvVGS1DHFjwGM9 192.150.187.20 54980 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
||||||
1475787575.922474 ClEkJM2Vm5giqnMf4h 192.150.187.20 54982 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
1475787575.922474 ClEkJM2Vm5giqnMf4h 192.150.187.20 54982 52.32.149.186 443 - - - tls13.crypto.mozilla.org F protocol_version - F - - - - - -
|
||||||
#close 2016-10-07-19-22-00
|
#close 2019-06-03-04-33-20
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path ssl
|
#path ssl
|
||||||
#open 2016-10-07-19-22-01
|
#open 2019-06-03-04-33-21
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
1475795116.906579 CHhAvVGS1DHFjwGM9 192.150.187.20 36778 138.68.41.77 443 TLSv13-draft16 TLS_CHACHA20_POLY1305_SHA256 secp384r1 - F unknown_ca - F - - - - - -
|
1475795116.906579 CHhAvVGS1DHFjwGM9 192.150.187.20 36778 138.68.41.77 443 TLSv13-draft16 TLS_CHACHA20_POLY1305_SHA256 secp384r1 - F unknown_ca - F - - - - - -
|
||||||
1475795124.328003 ClEkJM2Vm5giqnMf4h 192.150.187.20 36782 138.68.41.77 443 TLSv13-draft16 TLS_CHACHA20_POLY1305_SHA256 secp384r1 - F - - T - - - - - -
|
1475795124.328003 ClEkJM2Vm5giqnMf4h 192.150.187.20 36782 138.68.41.77 443 TLSv13-draft16 TLS_CHACHA20_POLY1305_SHA256 secp384r1 - F - - T - - - - - -
|
||||||
#close 2016-10-07-19-22-01
|
#close 2019-06-03-04-33-21
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path ssl
|
||||||
|
#open 2019-06-03-04-33-22
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
|
1555610808.383902 CHhAvVGS1DHFjwGM9 192.168.178.80 54220 174.138.9.219 443 TLSv13 TLS_CHACHA20_POLY1305_SHA256 x25519 - T - - T - - - - - -
|
||||||
|
#close 2019-06-03-04-33-22
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path ssl
|
||||||
|
#open 2019-06-03-04-33-22
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
|
1556554523.016311 CHhAvVGS1DHFjwGM9 10.192.48.168 63564 64.233.185.139 443 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 - T - - T - - - - - -
|
||||||
|
#close 2019-06-03-04-33-22
|
||||||
|
|
|
||||||
|
|
@ -825,7 +825,7 @@
|
||||||
[1] version: count = 771
|
[1] version: count = 771
|
||||||
[2] record_version: count = 771
|
[2] record_version: count = 771
|
||||||
[3] possible_ts: time = 1437831799.0
|
[3] possible_ts: time = 1437831799.0
|
||||||
[4] server_random: string = \xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
|
[4] server_random: string = U\xb3\x92w\xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
|
||||||
[5] session_id: string = \x17x\xe5j\x19T\x12vWY\xcf\xf3\xeai\\xdf\x09[]\xb7\xdf.[\x0e\x04\xa8\x89bJ\x94\xa7\x0c
|
[5] session_id: string = \x17x\xe5j\x19T\x12vWY\xcf\xf3\xeai\\xdf\x09[]\xb7\xdf.[\x0e\x04\xa8\x89bJ\x94\xa7\x0c
|
||||||
[6] cipher: count = 4
|
[6] cipher: count = 4
|
||||||
[7] comp_method: count = 0
|
[7] comp_method: count = 0
|
||||||
|
|
|
||||||
BIN
testing/btest/Traces/tls/hrr.pcap
Normal file
BIN
testing/btest/Traces/tls/hrr.pcap
Normal file
Binary file not shown.
BIN
testing/btest/Traces/tls/tls13_psk_succesfull.pcap
Normal file
BIN
testing/btest/Traces/tls/tls13_psk_succesfull.pcap
Normal file
Binary file not shown.
|
|
@ -1,5 +1,6 @@
|
||||||
# @TEST-EXEC: zeek -C -r $TRACES/tls/chrome-34-google.trace %INPUT
|
# @TEST-EXEC: zeek -C -r $TRACES/tls/chrome-34-google.trace %INPUT
|
||||||
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
|
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
|
||||||
|
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
|
||||||
# @TEST-EXEC: btest-diff .stdout
|
# @TEST-EXEC: btest-diff .stdout
|
||||||
|
|
||||||
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
|
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
|
||||||
|
|
@ -37,7 +38,7 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
|
||||||
|
|
||||||
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
|
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
|
||||||
{
|
{
|
||||||
print "supported_versions(", c$id$orig_h, c$id$resp_h;
|
print "supported_versions", c$id$orig_h, c$id$resp_h;
|
||||||
for ( i in versions )
|
for ( i in versions )
|
||||||
print SSL::version_strings[versions[i]];
|
print SSL::version_strings[versions[i]];
|
||||||
}
|
}
|
||||||
|
|
@ -48,3 +49,13 @@ event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes:
|
||||||
for ( i in modes )
|
for ( i in modes )
|
||||||
print modes[i];
|
print modes[i];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)
|
||||||
|
{
|
||||||
|
print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
|
||||||
|
}
|
||||||
|
|
||||||
|
event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count)
|
||||||
|
{
|
||||||
|
print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity;
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,10 @@
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
|
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
|
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
|
||||||
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
|
# @TEST-EXEC: zeek -C -r $TRACES/tls/hrr.pcap %INPUT
|
||||||
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
# @TEST-EXEC: btest-diff ssl-out.log
|
# @TEST-EXEC: btest-diff ssl-out.log
|
||||||
# @TEST-EXEC: btest-diff .stdout
|
# @TEST-EXEC: btest-diff .stdout
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue