diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek index e4f01c6593..72460d42f1 100644 --- a/scripts/base/protocols/ssl/main.zeek +++ b/scripts/base/protocols/ssl/main.zeek @@ -68,6 +68,36 @@ export { ## Flag to indicate if this record already has been logged, to ## prevent duplicates. logged: bool &default=F; + + ## SSL history showing which types of packets we received in which order. + ## Letters have the following meaning with client-sent letters being capitalized: + ## H hello_request + ## C client_hello + ## S server_hello + ## V hello_verify_request + ## T NewSessionTicket + ## X certificate + ## K server_key_exchange + ## R certificate_request + ## N server_hello_done + ## Y certificate_verify + ## G client_key_exchange + ## F finished + ## W certificate_url + ## U certificate_status + ## A supplemental_data + ## Z unassigned_handshake_type + ## I change_cipher_spec + ## B heartbeat + ## D application_data + ## E end_of_early_data + ## O encrypted_extensions + ## P key_update + ## M message_hash + ## J hello_retry_request + ## L alert + ## Q unknown_content_type + ssl_history: string &log &default=""; }; ## The default root CA bundle. By default, the mozilla-ca-list.zeek @@ -162,6 +192,14 @@ function set_session(c: connection) } } +function add_to_history(c: connection, is_orig: bool, char: string) + { + if ( is_orig ) + c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char); + else + c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char); + } + function delay_log(info: Info, token: string) { if ( ! info?$delay_tokens ) @@ -296,6 +334,75 @@ event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, lengt if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE ) c$ssl$client_key_exchange_seen = T; + + switch ( msg_type ) + { + case SSL::HELLO_REQUEST: + add_to_history(c, is_orig, "h"); + break; + case SSL::CLIENT_HELLO: + add_to_history(c, is_orig, "c"); + break; + case SSL::SERVER_HELLO: + add_to_history(c, is_orig, "s"); + break; + case SSL::HELLO_VERIFY_REQUEST: + add_to_history(c, is_orig, "v"); + break; + case SSL::SESSION_TICKET: + add_to_history(c, is_orig, "t"); + break; + # end of early data + case 5: + add_to_history(c, is_orig, "e"); + break; + case SSL::HELLO_RETRY_REQUEST: + add_to_history(c, is_orig, "j"); + break; + case SSL::ENCRYPTED_EXTENSIONS: + add_to_history(c, is_orig, "o"); + break; + case SSL::CERTIFICATE: + add_to_history(c, is_orig, "x"); + break; + case SSL::SERVER_KEY_EXCHANGE: + add_to_history(c, is_orig, "k"); + break; + case SSL::CERTIFICATE_REQUEST: + add_to_history(c, is_orig, "r"); + break; + case SSL::SERVER_HELLO_DONE: + add_to_history(c, is_orig, "n"); + break; + case SSL::CERTIFICATE_VERIFY: + add_to_history(c, is_orig, "y"); + break; + case SSL::CLIENT_KEY_EXCHANGE: + add_to_history(c, is_orig, "g"); + break; + case SSL::FINISHED: + add_to_history(c, is_orig, "f"); + break; + case SSL::CERTIFICATE_URL: + add_to_history(c, is_orig, "w"); + break; + case SSL::CERTIFICATE_STATUS: + add_to_history(c, is_orig, "u"); + break; + case SSL::SUPPLEMENTAL_DATA: + add_to_history(c, is_orig, "a"); + break; + case SSL::KEY_UPDATE: + add_to_history(c, is_orig, "p"); + break; + # message hash + case 254: + add_to_history(c, is_orig, "m"); + break; + default: + add_to_history(c, is_orig, "z"); + break; + } } # Extension event is fired _before_ the respective client or server hello. @@ -319,6 +426,7 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &pri event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5 { set_session(c); + add_to_history(c, is_orig, "i"); if ( is_orig && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen ) c$ssl$resumed = T; @@ -327,10 +435,17 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5 event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5 { set_session(c); + add_to_history(c, is_orig, "l"); c$ssl$last_alert = alert_descriptions[desc]; } +event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) + { + set_session(c); + add_to_history(c, is_orig, "b"); + } + event ssl_established(c: connection) &priority=7 { c$ssl$established = T; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log index c0fa8019cd..86aace9f90 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log @@ -5,7 +5,7 @@ #unset_field - #path ssl #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fps client_cert_chain_fps subject issuer -#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com F - - T a580247a25324adf4add5af648de4ac5798030dfd622f26a5f2280d7528ae244,250da2691be97c9a33ceef7e311c14fb01846e058a99cea9bd1125bd25a0cad5 (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps subject issuer +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com F - - T CsxknGIti a580247a25324adf4add5af648de4ac5798030dfd622f26a5f2280d7528ae244,250da2691be97c9a33ceef7e311c14fb01846e058a99cea9bd1125bd25a0cad5 (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US #close XXXX-XX-XX-XX-XX-XX