Merge branch 'master' of ssh://git.bro-ids.org/bro

2025-10-07 09:08:20 +00:00 · 2011-09-20 13:56:02 -04:00 · 2011-09-20 13:56:02 -04:00 · 16eafb771f
commit 16eafb771f
parent b20edb8542 22a89011a5
547 changed files with 513 additions and 29932 deletions
--- a/scripts/base/protocols/smtp/entities.bro
+++ b/scripts/base/protocols/smtp/entities.bro
@ -69,6 +69,11 @@ export {
 	## The on-disk prefix for files to be extracted from MIME entity bodies.
 	const extraction_prefix = "smtp-entity" &redef;

+	## If set, never generate MD5s. This is mainly for testing purposes to create
+	## reproducable output in the case that the decision whether to create
+	## checksums depends on environment specifics.
+	const never_calc_md5 = F &redef;
+
 	global log_mime: event(rec: EntityInfo);
 }

@ -121,7 +126,7 @@ event mime_segment_data(c: connection, length: count, data: string) &priority=-5

 	if ( c$smtp$current_entity$content_len == 0 )
 		{
-		if ( generate_md5 in c$smtp$current_entity$mime_type )
+		if ( generate_md5 in c$smtp$current_entity$mime_type && ! never_calc_md5 )
 			c$smtp$current_entity$calc_md5 = T;

 		if ( c$smtp$current_entity$calc_md5 )
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -18,16 +18,21 @@ export {
 		
 		cert:             string           &optional;
 		cert_chain:       vector of string &optional;
+		
+		## This stores the analyzer id used for the analyzer instance attached
+		## to each connection.  It is not used for logging since it's a 
+		## meaningless arbitrary number.
+		analyzer_id:      count            &optional;
 	};
 	
 	## This is where the default root CA bundle is defined.  By loading the
 	## mozilla-ca-list.bro script it will be set to Mozilla's root CA list.
 	const root_certs: table[string] of string = {} &redef;
-
-	## This determines if the c$ssl record is deleted after the record is 
-	## logged. You probably want this to be deleted since it contains 
-	## the full certificate and all of the chain certificates in it.
-	const delete_certs_after_logging = T &redef;
+	
+	## If true, detach the SSL analyzer from the connection to prevent 
+	## continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
 	
 	global log_ssl: event(rec: Info);
 	
@ -71,18 +76,12 @@ function set_session(c: connection)
 		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector()];
 	}
 	
-function finish(c: connection, violation: bool)
+function finish(c: connection)
 	{
 	Log::write(SSL::LOG, c$ssl);
-	if ( delete_certs_after_logging )
-		{
-		if ( c$ssl?$cert )
-			delete c$ssl$cert;
-		if ( c$ssl?$cert_chain )
-			delete c$ssl$cert_chain;
-		}
-	if ( violation )
-		delete c$ssl;
+	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
+		disable_analyzer(c$id, c$ssl$analyzer_id);
+	delete c$ssl;
 	}

 event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
@ -134,12 +133,19 @@ event ssl_established(c: connection) &priority=5
 	
 event ssl_established(c: connection) &priority=-5
 	{
-	finish(c, F);
+	finish(c);
 	}
-	
+
+event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
+	{
+	# Check by checking for existence of c$ssl record.
+	if ( c?$ssl && analyzer_name(atype) == "SSL" )
+		c$ssl$analyzer_id = aid;
+	}
+
 event protocol_violation(c: connection, atype: count, aid: count,
                         reason: string) &priority=5
 	{
 	if ( c?$ssl )
-		finish(c, T);
+		finish(c);
 	}