Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/bernhard/ssl-analyzer'

Browse source 
* origin/topic/bernhard/ssl-analyzer:
  Fix a few failing tests
  Add very basic ocsp stapling support.
  Add documentation, consts and tests for the new events.
  Support parsing of several TLS extensions.
  Make SSL/TLS version detection less brittle.
  Nicer notices for heartbleed.
  rip out state handline from ssl analyzer.
  enable detection of encrypted heartbleeds.
  also extract payload data in ssl_heartbeat
  add to local.bro, add disclaimer
  make tls heartbeat messages a bit better.
  fix tabs.
  polish script and probably detect encrypted attacks too.
  detect and alert on simple case of heartbleed
  default to TLS when not being able to determine version
  add is_orig to heartbeat event
  Throw new event for heartbeat messages.

BIT-1178 #merged
This commit is contained in:
Robin Sommer 2014-04-24 16:57:54 -07:00
commit 201fc7b25a
28 changed files with 800 additions and 376 deletions
Download patch file Download diff file Expand all files Collapse all files

7
testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
# @TEST-EXEC: btest-diff .stdout
event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
{
print is_orig, |response|;
}

26
testing/btest/scripts/base/protocols/ssl/tls-extension-events.test Normal file
View file

@ -0,0 +1,26 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
# @TEST-EXEC: btest-diff .stdout
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
{
print "Curves", c$id$orig_h, c$id$resp_h;
for ( i in curves )
print SSL::ec_curves[curves[i]];
}
event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
{
print "Point formats", c$id$orig_h, c$id$resp_h, is_orig;
for ( i in point_formats )
print SSL::ec_point_formats[point_formats[i]];
}
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
{
print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
}
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
{
print "server_name", c$id$orig_h, c$id$resp_h, names;
}