mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Fix TLS 1.3 session resumption detection.
Now we detect TLS 1.3 session resumption by looking if both sides have the PSK extension set, which is much more exact than the previous approach.
This commit is contained in:
Johanna Amann
Johanna Amann
parent
84315b54c3
commit
3c95c9a956
8 changed files with 256 additions and 197 deletions
|
|
@ -46,6 +46,10 @@ export {
|
||||||
## by the client. This value is used to determine if a session
|
## by the client. This value is used to determine if a session
|
||||||
## is being resumed. It's not logged.
|
## is being resumed. It's not logged.
|
||||||
client_key_exchange_seen: bool &default=F;
|
client_key_exchange_seen: bool &default=F;
|
||||||
|
## Track if the client sent a pre-shared-key extension.
|
||||||
|
## Used to determine if a TLS 1.3 session is being resumed.
|
||||||
|
## Not logged.
|
||||||
|
client_psk_seen: bool &default=F;
|
||||||
|
|
||||||
## Last alert that was seen during the connection.
|
## Last alert that was seen during the connection.
|
||||||
last_alert: string &log &optional;
|
last_alert: string &log &optional;
|
||||||
|
|
@ -231,7 +235,7 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
|
||||||
}
|
}
|
||||||
c$ssl$cipher = cipher_desc[cipher];
|
c$ssl$cipher = cipher_desc[cipher];
|
||||||
|
|
||||||
if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
|
if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
|
||||||
c$ssl$resumed = T;
|
c$ssl$resumed = T;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -299,10 +303,16 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &pri
|
||||||
{
|
{
|
||||||
set_session(c);
|
set_session(c);
|
||||||
|
|
||||||
if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 )
|
if ( is_orig && code == 35 && |val| > 0 ) # 35 == SessionTicket TLS
|
||||||
# In this case, we might have an empty ID. Set back to F in client_hello event
|
# In this case, we might have an empty ID. Set back to F in client_hello event
|
||||||
# if it is not empty after all.
|
# if it is not empty after all.
|
||||||
c$ssl$client_ticket_empty_session_seen = T;
|
c$ssl$client_ticket_empty_session_seen = T;
|
||||||
|
else if ( is_orig && code == 41 ) # 41 == pre_shared_key
|
||||||
|
# In this case, the client sent a PSK extension which can be used for resumption
|
||||||
|
c$ssl$client_psk_seen = T;
|
||||||
|
else if ( ! is_orig && code == 41 && c$ssl$client_psk_seen )
|
||||||
|
# In this case, the server accepted the PSK offered by the client.
|
||||||
|
c$ssl$resumed = T;
|
||||||
}
|
}
|
||||||
|
|
||||||
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
|
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
|
||||||
|
|
|
||||||
|
|
@ -559,7 +559,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
|
||||||
## length: length of the entire message.
|
## length: length of the entire message.
|
||||||
##
|
##
|
||||||
## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
|
## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
|
||||||
## ssl_alert ssl_heartbeat
|
## ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
|
||||||
event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
|
event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
|
||||||
|
|
||||||
## This event is generated for application data records of TLS 1.3 connections of which
|
## This event is generated for application data records of TLS 1.3 connections of which
|
||||||
|
|
|
||||||
|
|
@ -7,5 +7,5 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.86.23 63449 52.32.149.186 443 TLSv13-draft23 TLS_AES_128_GCM_SHA256 x25519 tls13.crypto.mozilla.org T - - T - - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.86.23 63449 52.32.149.186 443 TLSv13-draft23 TLS_AES_128_GCM_SHA256 x25519 tls13.crypto.mozilla.org F - - T - - - - - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
|
||||||
key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
|
key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
|
||||||
unknown-27242
|
unknown-27242
|
||||||
x25519
|
x25519
|
||||||
|
|
@ -7,6 +8,7 @@ key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p
|
||||||
unknown-19018
|
unknown-19018
|
||||||
x25519
|
x25519
|
||||||
client, TLSv10, TLSv12
|
client, TLSv10, TLSv12
|
||||||
|
tls13draft16-chrome55.0.2879.0-canary.pcap
|
||||||
key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
||||||
unknown-43690
|
unknown-43690
|
||||||
x25519
|
x25519
|
||||||
|
|
@ -14,6 +16,13 @@ client, TLSv10, TLSv12
|
||||||
key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
||||||
x25519
|
x25519
|
||||||
server, TLSv10, TLSv13-draft14
|
server, TLSv10, TLSv13-draft14
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
established, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
||||||
unknown-60138
|
unknown-60138
|
||||||
x25519
|
x25519
|
||||||
|
|
@ -21,17 +30,30 @@ client, TLSv10, TLSv12
|
||||||
key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
||||||
x25519
|
x25519
|
||||||
server, TLSv10, TLSv13-draft14
|
server, TLSv10, TLSv13-draft14
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
|
established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
|
||||||
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
tls13draft16-ff52.a01-aborted.pcap
|
||||||
key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
|
key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
|
||||||
x25519
|
x25519
|
||||||
secp256r1
|
secp256r1
|
||||||
secp384r1
|
secp384r1
|
||||||
client, TLSv10, TLSv12
|
client, TLSv10, TLSv12
|
||||||
client, TLSv10, TLSv12
|
client, TLSv10, TLSv12
|
||||||
|
tls13draft16-ff52.a01.pcap
|
||||||
key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
||||||
x25519
|
x25519
|
||||||
secp256r1
|
secp256r1
|
||||||
|
|
@ -40,6 +62,12 @@ client, TLSv10, TLSv12
|
||||||
key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
||||||
secp384r1
|
secp384r1
|
||||||
server, TLSv10, TLSv13-draft16
|
server, TLSv10, TLSv13-draft16
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
|
||||||
x25519
|
x25519
|
||||||
secp256r1
|
secp256r1
|
||||||
|
|
@ -48,13 +76,23 @@ client, TLSv10, TLSv12
|
||||||
key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
|
||||||
secp384r1
|
secp384r1
|
||||||
server, TLSv10, TLSv13-draft16
|
server, TLSv10, TLSv13-draft16
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
|
established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
|
||||||
|
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
|
||||||
|
tls13_psk_succesfull.pcap
|
||||||
key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
|
key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
|
||||||
x25519
|
x25519
|
||||||
client, TLSv10, TLSv12
|
client, TLSv10, TLSv12
|
||||||
|
|
@ -69,16 +107,21 @@ encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_
|
||||||
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
||||||
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
|
||||||
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
hrr.pcap
|
||||||
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
|
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
|
||||||
secp224r1
|
secp224r1
|
||||||
client, TLSv10, TLSv12
|
client, TLSv10, TLSv12
|
||||||
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
|
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
|
||||||
secp256r1
|
secp256r1
|
||||||
server, TLSv12, TLSv12
|
server, TLSv12, TLSv12
|
||||||
|
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
|
||||||
|
secp256r1
|
||||||
|
client, TLSv12, TLSv12
|
||||||
|
key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
|
||||||
|
secp256r1
|
||||||
|
server, TLSv12, TLSv12
|
||||||
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
|
||||||
established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
|
established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
|
||||||
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 22
|
|
||||||
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 22
|
|
||||||
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
|
|
||||||
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
|
||||||
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
|
||||||
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
|
encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.6.203 53227 52.32.149.186 443 - - -
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.203 53994 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - F - - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.203 53994 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - T - - - - - -
|
||||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.6.203 53996 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - T - - - - - -
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.6.203 53996 138.68.41.77 443 TLSv13-draft14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 x25519 - F - - T - - - - - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
|
|
@ -61,5 +61,5 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.178.80 54220 174.138.9.219 443 TLSv1
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||||
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.192.48.168 63564 64.233.185.139 443 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 - T - - T - - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.192.48.168 63564 64.233.185.139 443 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 - F - - T - - - - - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -1,13 +1,19 @@
|
||||||
|
# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary-aborted.pcap"
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log > ssl-out.log
|
# @TEST-EXEC: cat ssl.log > ssl-out.log
|
||||||
|
# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary.pcap"
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
|
# @TEST-EXEC: echo "tls13draft16-ff52.a01-aborted.pcap"
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
|
# @TEST-EXEC: echo "tls13draft16-ff52.a01.pcap"
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
|
# @TEST-EXEC: echo "tls13_psk_succesfull.pcap"
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
|
# @TEST-EXEC: echo "hrr.pcap"
|
||||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
|
||||||
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
# @TEST-EXEC: cat ssl.log >> ssl-out.log
|
||||||
# @TEST-EXEC: btest-diff ssl-out.log
|
# @TEST-EXEC: btest-diff ssl-out.log
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue