Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/johanna/no-error-message-durning-tls-or-dtls-protocol-violations'

Browse source 
* topic/johanna/no-error-message-durning-tls-or-dtls-protocol-violations:
  SSL: failing analyzer handling - address review feedback
  SSL: do not try to disable failed analyzer

Also folds in minor feedback from GH-3012
This commit is contained in:
Johanna Amann 2023-05-03 14:16:51 +01:00
commit 9742d9a76e
7 changed files with 30 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
CHANGES
View file

@ -1,3 +1,16 @@
6.0.0-dev.484 | 2023-05-03 14:18:03 +0100
* SSL: do not try to disable failed analyzer (Johanna Amann, Corelight)
Currently, if a TLS/DTLS analyzer fails with a protocol violation, we
will still try to remove the analyzer later, which results in the
following error message:
error: connection does not have analyzer specified to disable
Now, instead we don't try removing the analyzer anymore, after a
violation occurred.
6.0.0-dev.480 | 2023-05-02 20:28:55 +0200 6.0.0-dev.480 | 2023-05-02 20:28:55 +0200
* ip4_hdr: Add DF, MF, offset and sum fields (Arne Welzel, Corelight) * ip4_hdr: Add DF, MF, offset and sum fields (Arne Welzel, Corelight)

5
NEWS
View file

@ -306,6 +306,11 @@ Changed Functionality
- Libpcap based packet source now avoids the 32bit wraparound of link and - Libpcap based packet source now avoids the 32bit wraparound of link and
dropped packet counters as reported by users. dropped packet counters as reported by users.
- The `ssl_history` field in ssl.log indicates that the letter `j` is reserved
for hello retry requests. However, this logging was never fully implemented;
instead, hello retry requests were logged like as a server hello (with the letter
`s`). This oversight was fixed, and hello retry requests are now correctly logged.
Removed Functionality Removed Functionality
--------------------- ---------------------

2
VERSION
View file

@ -1 +1 @@
6.0.0-dev.480 6.0.0-dev.484

6
scripts/base/protocols/ssl/main.zeek
View file

@ -514,5 +514,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
{ {
if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS ) if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
if ( info$c?$ssl ) if ( info$c?$ssl )
finish(info$c, T); {
# analyzer errored out; prevent us from trying to remove it later
delete info$c$ssl$analyzer_id;
finish(info$c, F);
}
} }

1
testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

BIN
testing/btest/Traces/tls/tls1.2-protocol-violation.pcap Normal file
View file

Binary file not shown.

5
testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test Normal file
View file

@ -0,0 +1,5 @@
# This tests that no error messages are output when a protocol violation occurs
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT
# @TEST-EXEC: test -f dpd.log
# @TEST-EXEC: btest-diff .stderr