Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 20:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Let TLS analyzer fail better when no longer in sync with the data stream. The

Browse source 
version field in each record-layer packet is now re-checked.
This commit is contained in:
Bernhard Amann 2014-05-08 11:32:52 -07:00
parent 012156e9f1
commit 9014629a7d
3 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -44,6 +44,8 @@ type SSLRecord(is_orig: bool) = record {
};
length : int = case version of {
# fail analyzer if the packet cannot be recognized as TLS.
UNKNOWN_VERSION -> 0;
SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
default -> (head3 << 8) | head4;
};
@ -748,6 +750,19 @@ refine connection SSL_Conn += {
function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
head2 : uint8, head3: uint8, head4: uint8) : int
%{
// re-check record layer version to be sure that we still are synchronized with
// the data stream
if ( record_layer_version_ != UNKNOWN_VERSION && record_layer_version_ != SSLv20 )
{
uint16 version = (head1<<8) | head2;
if ( version != SSLv30 && version != TLSv10 &&
version != TLSv11 && version != TLSv12 )
{
bro_analyzer()->ProtocolViolation(fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
return UNKNOWN_VERSION;
}
}
if ( record_layer_version_ != UNKNOWN_VERSION )
return record_layer_version_;