Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 07:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Start porting the old spicy TLS analyzer into Zeek

Browse source 
This is very WIP and currently produces a link error.
This commit is contained in:
Johanna Amann 2023-03-17 13:07:21 +01:00
parent 85acdea90f
commit 71cd4b2cf4
7 changed files with 1616 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

12
scripts/base/protocols/ssl/files.zeek
View file

@ -96,13 +96,13 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_SSL,
[$get_file_handle = SSL::get_file_handle,
$describe = SSL::describe_file]);
# Files::register_protocol(Analyzer::ANALYZER_SSL,
# [$get_file_handle = SSL::get_file_handle,
# $describe = SSL::describe_file]);
Files::register_protocol(Analyzer::ANALYZER_DTLS,
[$get_file_handle = SSL::get_file_handle,
$describe = SSL::describe_file]);
# Files::register_protocol(Analyzer::ANALYZER_DTLS,
# [$get_file_handle = SSL::get_file_handle,
# $describe = SSL::describe_file]);
local ssl_filter = Log::get_filter(SSL::LOG, "default");

20
scripts/base/protocols/ssl/main.zeek
View file

@ -190,8 +190,8 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
event zeek_init() &priority=6
{
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
#Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
#Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
}
function set_session(c: connection)
@ -492,11 +492,11 @@ hook finalize_ssl(c: connection)
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=5
{
if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
{
set_session(info$c);
info$c$ssl$analyzer_id = info$aid;
}
#if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
# {
# set_session(info$c);
# info$c$ssl$analyzer_id = info$aid;
# }
}
event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
@ -512,7 +512,7 @@ event ssl_plaintext_data(c: connection, is_client: bool, record_version: count,
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
{
if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
if ( info$c?$ssl )
finish(info$c, T);
# if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
# if ( info$c?$ssl )
# finish(info$c, T);
}