Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ssl: Prevent unbounded ssl_history growth

Browse source 
The ssl_history field may grow unbounded (e.g., ssl_alert event). Prevent this
by capping using a configurable limit (default 100) and raise a weird once reached.
This commit is contained in:
Arne Welzel 2023-10-19 16:32:12 +02:00 committed by Tim Wojtulewicz
parent 39a7375f0c
commit 5984792f04
6 changed files with 33 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
NEWS
View file

@ -174,6 +174,11 @@ Changed Functionality
If there are more alerts, a new weird "SSL_excessive_alerts_in_record" is raised.
For non-TLS 1.3, the maximum can be redefined via ``SSL::max_alerts_per_record``.
- The ``ssl_history`` field in the ssl.log is now capped at a configurable
limit of 100 characters prevent unbounded growth. The limit can be changed
via the option ``SSL::max_ssl_history_length``. When reached, a new weird
named "SSL_max_ssl_history_length_reached" is raised.
Deprecated Functionality
------------------------

10
scripts/base/protocols/ssl/main.zeek
View file

@ -143,6 +143,10 @@ export {
## (especially with large file transfers).
option disable_analyzer_after_detection = T;
## Maximum length of the ssl_history field to prevent unbounded
## growth when the parser is running into unexpected situations.
option max_ssl_history_length = 100;
## Delays an SSL record for a specific token: the record will not be
## logged as long as the token exists or until 15 seconds elapses.
global delay_log: function(info: Info, token: string);
@ -208,10 +212,16 @@ function set_session(c: connection)
function add_to_history(c: connection, is_client: bool, char: string)
{
if ( |c$ssl$ssl_history| == max_ssl_history_length )
return;
if ( is_client )
c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char);
else
c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char);
if ( |c$ssl$ssl_history| == max_ssl_history_length )
Reporter::conn_weird("SSL_max_ssl_history_length_reached", c);
}
function delay_log(info: Info, token: string)

2
testing/btest/Baseline/scripts.base.protocols.ssl.max-history-length/ssl-max-history-length-3.log Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CHhAvVGS1DHFjwGM9 Csx

2
testing/btest/Baseline/scripts.base.protocols.ssl.max-history-length/ssl-max-history-length-default.log Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CHhAvVGS1DHFjwGM9 CsxknGIti

2
testing/btest/Baseline/scripts.base.protocols.ssl.max-history-length/weird-max-history-length-3.log Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CHhAvVGS1DHFjwGM9 SSL_max_ssl_history_length_reached

12
testing/btest/scripts/base/protocols/ssl/max-history-length.test Normal file
View file

@ -0,0 +1,12 @@
# Test max history length functionality
# @TEST-EXEC: zeek -r $TRACES/tls/tls-conn-with-extensions.trace
# @TEST-EXEC: zeek-cut uid ssl_history < ssl.log > ssl-max-history-length-default.log
# @TEST-EXEC: btest-diff ssl-max-history-length-default.log
# @TEST-EXEC: ! test -f weird.log
#
# @TEST-EXEC: zeek -r $TRACES/tls/tls-conn-with-extensions.trace SSL::max_ssl_history_length=3
# @TEST-EXEC: zeek-cut uid ssl_history < ssl.log > ssl-max-history-length-3.log
# @TEST-EXEC: zeek-cut uid name < weird.log > weird-max-history-length-3.log
# @TEST-EXEC: btest-diff ssl-max-history-length-3.log
# @TEST-EXEC: btest-diff weird-max-history-length-3.log