Merge branch 'topic/johanna/no-error-message-durning-tls-or-dtls-protocol-violations'

* topic/johanna/no-error-message-durning-tls-or-dtls-protocol-violations: SSL: failing analyzer handling - address review feedback SSL: do not try to disable failed analyzer Also folds in minor feedback from GH-3012
2025-10-02 06:38:20 +00:00 · 2023-05-03 14:16:51 +01:00 · 2023-05-03 14:16:51 +01:00 · 9742d9a76e
commit 9742d9a76e
parent cc25129b2f 9a47e201f8
7 changed files with 30 additions and 2 deletions
--- a/13
+++ b/13
@ -1,3 +1,16 @@
+6.0.0-dev.484 | 2023-05-03 14:18:03 +0100
+
+  * SSL: do not try to disable failed analyzer (Johanna Amann, Corelight)
+
+    Currently, if a TLS/DTLS analyzer fails with a protocol violation, we
+    will still try to remove the analyzer later, which results in the
+    following error message:
+
+    error: connection does not have analyzer specified to disable
+
+    Now, instead we don't try removing the analyzer anymore, after a
+    violation occurred.
+
 6.0.0-dev.480 | 2023-05-02 20:28:55 +0200

  * ip4_hdr: Add DF, MF, offset and sum fields (Arne Welzel, Corelight)
--- a/5
+++ b/5
@ -306,6 +306,11 @@ Changed Functionality
 - Libpcap based packet source now avoids the 32bit wraparound of link and
  dropped packet counters as reported by users.

+- The `ssl_history` field in ssl.log indicates that the letter `j` is reserved
+  for hello retry requests. However, this logging was never fully implemented;
+  instead, hello retry requests were logged like as a server hello (with the letter
+  `s`). This oversight was fixed, and hello retry requests are now correctly logged.
+
 Removed Functionality
 ---------------------

--- a/2
+++ b/2
@ -1 +1 @@
-6.0.0-dev.480
+6.0.0-dev.484
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -514,5 +514,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 	{
 	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
 		if ( info$c?$ssl )
-			finish(info$c, T);
+			{
+			# analyzer errored out; prevent us from trying to remove it later
+			delete info$c$ssl$analyzer_id;
+			finish(info$c, F);
+			}
 	}
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
--- a/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap
+++ b/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap
--- a/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
@ -0,0 +1,5 @@
+# This tests that no error messages are output when a protocol violation occurs
+
+# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT
+# @TEST-EXEC: test -f dpd.log
+# @TEST-EXEC: btest-diff .stderr
				`@ -0,0 +1 @@`
				`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`