From 5bd0c3fcaffee977b4278e1b930a037774d07765 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Wed, 14 May 2014 15:45:47 -0700 Subject: [PATCH] move tls content types from heartbleed to consts.bro. Seems better to put them there... --- scripts/base/protocols/ssl/consts.bro | 11 +++++++++++ scripts/policy/protocols/ssl/heartbleed.bro | 15 ++------------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index e1b366130f..da8bb28151 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -15,6 +15,17 @@ export { [TLSv12] = "TLSv12", } &default=function(i: count):string { return fmt("unknown-%d", i); }; + ## TLS content types: + const CHANGE_CIPHER_SPEC = 20; + const ALERT = 21; + const HANDSHAKE = 22; + const APPLICATION_DATA = 23; + const HEARTBEAT = 24; + const V2_ERROR = 300; + const V2_CLIENT_HELLO = 301; + const V2_CLIENT_MASTER_KEY = 302; + const V2_SERVER_HELLO = 304; + ## Mapping between numeric codes and human readable strings for alert ## levels. const alert_levels: table[count] of string = { diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro index 63fc2e72c9..12087f1fc8 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.bro @@ -37,17 +37,6 @@ redef record SSL::Info += { enc_appdata_bytes: count &default=0; }; -# TLS content types: -const CHANGE_CIPHER_SPEC = 20; -const ALERT = 21; -const HANDSHAKE = 22; -const APPLICATION_DATA = 23; -const HEARTBEAT = 24; -const V2_ERROR = 300; -const V2_CLIENT_HELLO = 301; -const V2_CLIENT_MASTER_KEY = 302; -const V2_SERVER_HELLO = 304; - type min_length: record { cipher: pattern; min_length: count; @@ -236,9 +225,9 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) { - if ( content_type == HEARTBEAT ) + if ( content_type == SSL::HEARTBEAT ) event ssl_encrypted_heartbeat(c, is_orig, length); - else if ( (content_type == APPLICATION_DATA) && (length > 0) ) + else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) ) { ++c$ssl$enc_appdata_packages; c$ssl$enc_appdata_bytes += length;