Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

make the SSL analyzer skip further processing once encountering

Browse source 
situations which are very probably non-recoverable.

Current behavior could lead to us jumping in in the middle of an old
443 stream and interpreting some data as ssl before failing again.
This commit is contained in:
Johanna Amann 2014-11-25 14:57:10 -08:00
parent 5436faed69
commit 529668670a
2 changed files with 20 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -759,6 +759,7 @@ refine connection SSL_Conn += {
version != TLSv11 && version != TLSv12 )
{
bro_analyzer()->ProtocolViolation(fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
bro_analyzer()->SetSkip(true);
return UNKNOWN_VERSION;
}
}
@ -775,6 +776,7 @@ refine connection SSL_Conn += {
version != TLSv11 && version != TLSv12 )
{
bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL client hello. Version: %d", version));
bro_analyzer()->SetSkip(true);
return UNKNOWN_VERSION;
}
@ -791,6 +793,7 @@ refine connection SSL_Conn += {
else // this is not SSL or TLS.
{
bro_analyzer()->ProtocolViolation(fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
bro_analyzer()->SetSkip(true);
return UNKNOWN_VERSION;
}
}
@ -800,6 +803,7 @@ refine connection SSL_Conn += {
version != TLSv11 && version != TLSv12 )
{
bro_analyzer()->ProtocolViolation(fmt("Invalid version in TLS connection. Version: %d", version));
bro_analyzer()->SetSkip(true);
return UNKNOWN_VERSION;
}
@ -810,6 +814,7 @@ refine connection SSL_Conn += {
}
bro_analyzer()->ProtocolViolation(fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
bro_analyzer()->SetSkip(true);
return UNKNOWN_VERSION;
%}