Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 04:58:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

also extract payload data in ssl_heartbeat

Browse source
This commit is contained in:
Bernhard Amann 2014-04-08 12:44:51 -07:00
parent f2c2da92c6
commit 2942a26280
4 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/policy/protocols/ssl/heartbleed.bro
View file

@ -26,7 +26,7 @@ export {
}; };
} }
event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count) event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
{ {
if ( heartbeat_type == 1 ) if ( heartbeat_type == 1 )
{ {

2
src/analyzer/protocol/ssl/events.bif
View file

@ -141,4 +141,4 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%); event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count%); event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);

8
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -325,11 +325,11 @@ refine connection SSL_Conn += {
return true; return true;
%} %}
function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16) : bool function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
%{ %{
BifEvent::generate_ssl_heartbeat(bro_analyzer(), BifEvent::generate_ssl_heartbeat(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length); bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
new StringVal(data.length(), (const char*) data.data()));
return true; return true;
%} %}
@ -353,7 +353,7 @@ refine typeattr ApplicationData += &let {
}; };
refine typeattr Heartbeat += &let { refine typeattr Heartbeat += &let {
proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length); proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data);
}; };
refine typeattr ClientHello += &let { refine typeattr ClientHello += &let {

2
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -233,7 +233,7 @@ type ApplicationData(rec: SSLRecord) = record {
type Heartbeat(rec: SSLRecord) = record { type Heartbeat(rec: SSLRecord) = record {
type : uint8; type : uint8;
payload_length : uint16; payload_length : uint16;
data : bytestring &restofdata &transient; data : bytestring &restofdata;
}; };
###################################################################### ######################################################################