Match DPD TLS signature on one-sided connections.

This commit changes DPD matching for TLS connections. A one-sided match is enough to enable DPD now. This commit also removes DPD for SSLv2 connections. SSLv2 connections do basically no longer happen in the wild. SSLv2 is also really finnicky to identify correctly - there is very little data required to match it, and basically all matches today will be false positives. If DPD for SSLv2 is still desired, the optional signature in policy/protocols/ssl/dpd-v2.sig can be loaded. Fixes GH-1952
2025-10-02 14:48:21 +00:00 · 2022-02-01 16:48:57 +00:00 · 2022-02-01 16:48:57 +00:00 · 95f1565498
commit 95f1565498
parent 0793a38cc5
4 changed files with 27 additions and 9 deletions
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@ -1,17 +1,17 @@
-signature dpd_ssl_server {
+signature dpd_tls_server {
  ip-proto == tcp
-  # Server hello.
-  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/
-  requires-reverse-signature dpd_ssl_client
-  enable "ssl"
+  # SSL3 / TLS Server hello.
+  payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/
  tcp-state responder
+  enable "ssl"
 }

-signature dpd_ssl_client {
+signature dpd_tls_client {
  ip-proto == tcp
-  # Client hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/
+  # SSL3 / TLS Client hello.
+  payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/
  tcp-state originator
+  enable "ssl"
 }

 signature dpd_dtls_client {
--- a/scripts/policy/protocols/ssl/dpd-v2.sig
+++ b/scripts/policy/protocols/ssl/dpd-v2.sig
@ -0,0 +1,17 @@
+# This signature can be used to enable DPD for SSL version 2.
+# Note that SSLv2 is basically unused by now. Due to the structure of the protocol, it also is sometimes
+# hard to disambiguate it from random noise - so you will probably always get a few false positives.
+
+signature dpd_ssl_server {
+	ip-proto == tcp
+	payload /^...?\x04..\x00\x02.*/
+	requires-reverse-signature dpd_ssl_client
+	tcp-state responder
+	enable "ssl"
+}
+
+signature dpd_ssl_client {
+	ip-proto == tcp
+	payload /^...?\x01[\x00\x03][\x00\x01\x02\x03\x04].*/
+	tcp-state originator
+}
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@ -8,6 +8,7 @@
@load base/frameworks/dpd
@load base/frameworks/signatures
@load-sigs base/protocols/ssl/dpd.sig
+@load-sigs policy/protocols/ssl/dpd-v2.sig

 event zeek_init()
  {
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-7c40cc2c3709fc54e5c75c119d1d01ed8a3ceb93
+76b3112a06ff6c1b25c2aedcfe1828bf0b82d7bf