Update DTLS error handling

DTLS now only outputs protocol violations once it saw something that looked like a DTLS connection (at least a client hello). Before the danger that it misinterprets something is too high. It has a configurable number of invalid packets that it can skip over (because other protocols might be interleaved with the connection) and a maximum amount of Protocol violations that it outputs because of wrong packet versions.
2025-10-17 05:58:20 +00:00 · 2019-04-04 12:27:42 -07:00 · 2019-04-04 12:27:42 -07:00 · 7c48aad582
commit 7c48aad582
parent 99c89d55d6
11 changed files with 74 additions and 14 deletions
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@ -8,6 +8,7 @@ bro_plugin_cc(SSL.cc DTLS.cc Plugin.cc)
 bro_plugin_bif(types.bif)
 bro_plugin_bif(events.bif)
 bro_plugin_bif(functions.bif)
+bro_plugin_bif(consts.bif)
 bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac
 	proc-client-hello.pac
 	proc-server-hello.pac
@ -16,7 +17,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz
 )
 bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
 	proc-client-hello.pac
-    proc-server-hello.pac
+	proc-server-hello.pac
 	proc-certificate.pac
 )
 bro_plugin_pac(dtls.pac ssl-dtls-analyzer.pac dtls-analyzer.pac ssl-dtls-protocol.pac dtls-protocol.pac ssl-defs.pac)
--- a/src/analyzer/protocol/ssl/consts.bif
+++ b/src/analyzer/protocol/ssl/consts.bif
@ -0,0 +1,2 @@
+const SSL::dtls_max_version_errors: count;
+const SSL::dtls_max_reported_version_errors: count;
--- a/src/analyzer/protocol/ssl/dtls-protocol.pac
+++ b/src/analyzer/protocol/ssl/dtls-protocol.pac
@ -45,15 +45,40 @@ type Handshake(rec: SSLRecord) = record {

 refine connection SSL_Conn += {

+	%member{
+		uint16 invalid_version_count_;
+		uint16 reported_errors_;
+	%}
+
+	%init{
+		invalid_version_count_ = 0;
+		reported_errors_ = 0;
+	%}
+
 	function dtls_version_ok(version: uint16): uint16
 		%{
 		switch ( version ) {
 		case DTLSv10:
 		case DTLSv12:
+			// Reset only to 0 once we have seen a client hello.
+			// This means the connection gets a limited amount of valid/invalid
+			// packets before a client hello has to be seen - which seems reasonable.
+			if ( bro_analyzer()->ProtocolConfirmed() )
+				invalid_version_count_ = 0;
 			return true;

 		default:
-			bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version));			
+			invalid_version_count_++;
+
+			if ( bro_analyzer()->ProtocolConfirmed() )
+				{
+				reported_errors_++;
+				if ( reported_errors_ <= BifConst::SSL::dtls_max_reported_version_errors )
+					bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version));
+				}
+
+			if ( invalid_version_count_ > BifConst::SSL::dtls_max_version_errors )
+				bro_analyzer()->SetSkip(true);
 			return false;
 		}
 		%}
--- a/src/analyzer/protocol/ssl/dtls.pac
+++ b/src/analyzer/protocol/ssl/dtls.pac
@ -10,6 +10,7 @@ namespace analyzer { namespace dtls { class DTLS_Analyzer; } }
 typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer;

 #include "DTLS.h"
+#include "consts.bif.h"
 %}

 extern type DTLSAnalyzer;