From 991e4f5dc355a699fca1fb0b02b53ec2ec00321a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 12 Mar 2015 15:46:17 -0700 Subject: [PATCH] DTLS working. The only thing that is missing is a signature to detect the protocol (it has no well-known port). Reassembly is kind of fidgety - at the moment we only support re-assembling one simultaneous message per direction (which looking at our test-traffic might not be a problem). And I am not quite sure if I got all cases correct... But - it works :) --- scripts/base/protocols/ssl/consts.bro | 7 + src/analyzer/protocol/ssl/CMakeLists.txt | 2 +- src/analyzer/protocol/ssl/DTLS.cc | 39 ++++- src/analyzer/protocol/ssl/DTLS.h | 9 +- src/analyzer/protocol/ssl/SSL.cc | 3 + src/analyzer/protocol/ssl/dtls-analyzer.pac | 148 ++++++++++++++++++ src/analyzer/protocol/ssl/dtls-protocol.pac | 40 +++-- src/analyzer/protocol/ssl/dtls.pac | 10 +- src/analyzer/protocol/ssl/ssl-defs.pac | 11 +- src/analyzer/protocol/ssl/ssl-protocol.pac | 4 +- .../protocol/ssl/tls-handshake-protocol.pac | 49 ++++-- .../scripts.base.protocols.ssl.dtls/ssl.log | 10 ++ .../scripts.base.protocols.ssl.dtls/x509.log | 10 ++ .../scripts/base/protocols/ssl/dtls.test | 5 + 14 files changed, 312 insertions(+), 35 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log create mode 100644 testing/btest/scripts/base/protocols/ssl/dtls.test diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 3d115419d4..05559ee5d0 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -6,6 +6,11 @@ export { const TLSv10 = 0x0301; const TLSv11 = 0x0302; const TLSv12 = 0x0303; + + const DTLSv10 = 0xFEFF; + # DTLSv11 does not exist + const DTLSv12 = 0xFEFD; + ## Mapping between the constants and string values for SSL/TLS versions. const version_strings: table[count] of string = { [SSLv2] = "SSLv2", @@ -13,6 +18,8 @@ export { [TLSv10] = "TLSv10", [TLSv11] = "TLSv11", [TLSv12] = "TLSv12", + [DTLSv10] = "DTLSv10", + [DTLSv12] = "DTLSv12" } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## TLS content types: diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index fab0d30f07..f69b7354e3 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -6,7 +6,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro SSL) bro_plugin_cc(SSL.cc Plugin_SSL.cc) bro_plugin_bif(events.bif) -bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac) +bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc index 7c49dba439..c90e414031 100644 --- a/src/analyzer/protocol/ssl/DTLS.cc +++ b/src/analyzer/protocol/ssl/DTLS.cc @@ -5,28 +5,61 @@ #include "events.bif.h" +#include "dtls_pac.h" +#include "tls-handshake_pac.h" + using namespace analyzer::dtls; DTLS_Analyzer::DTLS_Analyzer(Connection* c) : analyzer::Analyzer("DTLS", c) { interp = new binpac::DTLS::SSL_Conn(this); - fprintf(stderr, "Instantiated :)\n"); + handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this); } DTLS_Analyzer::~DTLS_Analyzer() { delete interp; + delete handshake_interp; } void DTLS_Analyzer::Done() { - Analyzer::Done(); + Analyzer::Done(); + interp->FlowEOF(true); + interp->FlowEOF(false); + handshake_interp->FlowEOF(true); + handshake_interp->FlowEOF(false); } void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - fprintf(stderr, "Delivered packet :)\n"); interp->NewData(orig, data, data + len); } + +void DTLS_Analyzer::EndOfData(bool is_orig) + { + Analyzer::EndOfData(is_orig); + interp->FlowEOF(is_orig); + handshake_interp->FlowEOF(is_orig); + } + + +void DTLS_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig) + { + try + { + handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1); + uint32 host_length = htonl(length); + // the parser inspects a uint24 - since it is big-endian, it should be ok to just skip + // the first byte of the uint32. Since we get the data from an uint24 from the dtls-parser, this should + // always yield the correct result. + handshake_interp->NewData(orig, (const unsigned char*) &host_length + 1, (const unsigned char*) &host_length + sizeof(host_length)); + handshake_interp->NewData(orig, begin, end); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h index c45a311c8c..6611a6974e 100644 --- a/src/analyzer/protocol/ssl/DTLS.h +++ b/src/analyzer/protocol/ssl/DTLS.h @@ -4,7 +4,10 @@ #include "events.bif.h" #include "analyzer/protocol/udp/UDP.h" -#include "dtls_pac.h" + +namespace binpac { namespace DTLS { class SSL_Conn; } } + +namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } namespace analyzer { namespace dtls { @@ -17,6 +20,9 @@ public: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen); + virtual void EndOfData(bool is_orig); + + void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig); static analyzer::Analyzer* Instantiate(Connection* conn) @@ -24,6 +30,7 @@ public: protected: binpac::DTLS::SSL_Conn* interp; + binpac::TLSHandshake::Handshake_Conn* handshake_interp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 71b7511716..d571439f19 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -30,12 +30,15 @@ void SSL_Analyzer::Done() interp->FlowEOF(true); interp->FlowEOF(false); + handshake_interp->FlowEOF(true); + handshake_interp->FlowEOF(false); } void SSL_Analyzer::EndpointEOF(bool is_orig) { tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); + handshake_interp->FlowEOF(is_orig); } void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac index 139597f9cb..f4c2df9e3f 100644 --- a/src/analyzer/protocol/ssl/dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac @@ -1,2 +1,150 @@ +refine connection SSL_Conn += { + + %member{ + + struct message_info { + uint64 message_first_sequence; // the minumum dtls sequence number for this handshake fragment + bool first_sequence_seen; // did we actually see the fragment with the smallest number + uint64 message_last_sequence; // the mazimum dtls sequence number for this handshake fragment + uint16 message_handshake_sequence; // the handshake sequence number of this handshake (to identify) + uint32 message_length; // data length of this handshake (data in buffer) + uint32 message_sequence_seen; // a bitfield that shows which sequence numbers we already saw, offset from first_seq. + u_char* buffer; + } server, client; + %} + + %init{ + memset(&server, 0, sizeof(server)); + memset(&client, 0, sizeof(client)); + %} + + %cleanup{ + delete [] server.buffer; + delete [] client.buffer; + %} + + function proc_dtls(pdu: SSLRecord, sequence: uint64): bool + %{ + //fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch}); + + return true; + %} + + function proc_handshake(pdu: SSLRecord, rec: Handshake): bool + %{ + uint32 foffset = to_int()(${rec.fragment_offset}); + uint32 flength = to_int()(${rec.fragment_length}); + uint32 length = to_int()(${rec.length}); + uint64 sequence_number = to_int()(${pdu.sequence_number}); + //fprintf(stderr, "Handshake type: %d, length: %u, seq: %u, foffset: %u, flength: %u\n", ${rec.msg_type}, to_int()(${rec.length}), ${rec.message_seq}, to_int()(${rec.fragment_offset}), to_int()(${rec.fragment_length})); + + if ( foffset == 0 && length == flength ) + { + //fprintf(stderr, "Complete fragment, forwarding...\n"); + bro_analyzer()->SendHandshake(${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig}); + return true; + } + + // if we fall through here, the message has to be reassembled. Let's first get the right info record... + message_info* i; + if ( ${pdu.is_orig} ) + i = &client; + else + i = &server; + + if ( length > MAX_DTLS_HANDSHAKE_RECORD ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS record length %u larger than allowed maximum.", length)); + return true; + } + + if ( i->message_handshake_sequence != ${rec.message_seq} || i->message_length != length || i->buffer == 0 ) + { + // cannot resume reassembling. Let's abandon the current data and try anew... + delete [] i->buffer; + memset(i, 0, sizeof(message_info)); + i->message_handshake_sequence = ${rec.message_seq}; + i->message_length = length; + i->buffer = new u_char[length]; + // does not have to be the first sequence number - we cannot figure that out at this point. If it is not, + // we will fix that later... + i->message_first_sequence = sequence_number; + } + + // if we arrive here, we are actually ready to resume. + if ( i->message_first_sequence > sequence_number ) + { + if ( i->first_sequence_seen ) + { + bro_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake."); + return true; + } + // first sequence number was incorrect, let's fix that. + uint64 diff = i->message_first_sequence - sequence_number; + i->message_sequence_seen = i->message_sequence_seen << diff; + i->message_first_sequence = sequence_number; + } + + // if we have offset 0, we know the smallest number... + if ( foffset == 0 ) + i->first_sequence_seen = true; + + // check if we already saw the message + if ( ( i->message_sequence_seen & ( 1 << (sequence_number - i->message_first_sequence) ) ) != 0 ) + return true; // do not handle same message fragment twice + + // copy data from fragment to buffer + if ( ${rec.data}.length() != flength ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS handshake record length does not match packet length")); + return true; + } + + if ( foffset + flength > length ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS handshake fragment trying to write past end of buffer")); + return true; + } + + // store that we handled fragment + i->message_sequence_seen |= 1 << (sequence_number - i->message_first_sequence); + memcpy(i->buffer + foffset, ${rec.data}.data(), ${rec.data}.length()); + + //fprintf(stderr, "Copied to buffer offset %u length %u\n", foffset, ${rec.data}.length()); + + // store last fragment information if this is the last fragment... + + // check if we saw all fragments so far. If yes, forward... + if ( foffset + flength == length ) + i->message_last_sequence = sequence_number; + + if ( i->message_last_sequence != 0 && i->first_sequence_seen ) + { + uint64 total_length = i->message_last_sequence - i->message_first_sequence; + if ( total_length > 32 ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS Message fragmented over more than 32 pieces. Cannot reassemble.")); + return true; + } + + if ( ( ~(i->message_sequence_seen) & ( ( 1<<(total_length+1) ) -1 ) ) == 0 ) + { + //fprintf(stderr, "ALl fragments here. Total length %u\n", length); + bro_analyzer()->SendHandshake(${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig}); + } + } + + + return true; + %} +}; + +refine typeattr SSLRecord += &let { + proc: bool = $context.connection.proc_dtls(this, to_int()(sequence_number)); +}; + +refine typeattr Handshake += &let { + proc: bool = $context.connection.proc_handshake(rec, this); +}; diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 94cddf9cbc..6faa191d18 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -10,14 +10,27 @@ type DTLSPDU(is_orig: bool) = record { type SSLRecord(is_orig: bool) = record { content_type: uint8; version: uint16; +# the epoch signalizes that a changecipherspec message has been received. Hence, everything with +# an epoch > 0 should be encrypted epoch: uint16; sequence_number: uint48; length: uint16; - rec: PlaintextRecord(this)[] &length=length; -# data: bytestring &restofdata &transient; -} &byteorder = bigendian, - &let { - parse : bool = $context.connection.proc_dtls(this, to_int()(sequence_number)); + cont: case valid of { + true -> rec: RecordText(this)[] &length=length; + false -> swallow: bytestring &restofdata; + }; +} &byteorder = bigendian, &let { +# Do not parse body if packet version invalid + valid: bool = $context.connection.dtls_version_ok(version); +}; + +type RecordText(rec: SSLRecord) = case rec.epoch of { + 0 -> plaintext : PlaintextRecord(rec); + default -> ciphertext : CiphertextRecord(rec); +}; + +refine casetype PlaintextRecord += { + HANDSHAKE -> handshake : Handshake(rec); }; type Handshake(rec: SSLRecord) = record { @@ -26,15 +39,22 @@ type Handshake(rec: SSLRecord) = record { message_seq: uint16; fragment_offset: uint24; fragment_length: uint24; + data: bytestring &restofdata; } refine connection SSL_Conn += { - function proc_dtls(pdu: SSLRecord, sequence: uint64): bool - %{ - fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch}); + function dtls_version_ok(version: uint16): uint16 + %{ + switch ( version ) { + case DTLSv10: + case DTLSv12: + return true; - return true; - %} + default: + bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + return false; + } + %} }; diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac index 50424f0d8c..b08dd61f8f 100644 --- a/src/analyzer/protocol/ssl/dtls.pac +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -5,14 +5,21 @@ %extern{ #include "events.bif.h" + +namespace analyzer { namespace dtls { class DTLS_Analyzer; } } +typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer; + +#include "DTLS.h" %} +extern type DTLSAnalyzer; + analyzer DTLS withcontext { connection: SSL_Conn; flow: DTLS_Flow; }; -connection SSL_Conn(bro_analyzer: BroAnalyzer) { +connection SSL_Conn(bro_analyzer: DTLSAnalyzer) { upflow = DTLS_Flow(true); downflow = DTLS_Flow(false); }; @@ -21,7 +28,6 @@ connection SSL_Conn(bro_analyzer: BroAnalyzer) { %include dtls-protocol.pac flow DTLS_Flow(is_orig: bool) { -# flowunit = SSLRecord(is_orig) withcontext(connection, this); datagram = DTLSPDU(is_orig) withcontext(connection, this); } diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index c29bbcbabe..aefc69a81c 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -71,6 +71,8 @@ function version_ok(vers : uint16) : bool case TLSv10: case TLSv11: case TLSv12: + case DTLSv10: + case DTLSv12: return true; default: @@ -86,6 +88,9 @@ using std::string; #include "events.bif.h" %} +# a maximum of 100k for one record seems safe +let MAX_DTLS_HANDSHAKE_RECORD: uint32 = 100000; + enum ContentType { CHANGE_CIPHER_SPEC = 20, ALERT = 21, @@ -106,7 +111,11 @@ enum SSLVersions { SSLv30 = 0x0300, TLSv10 = 0x0301, TLSv11 = 0x0302, - TLSv12 = 0x0303 + TLSv12 = 0x0303, + + DTLSv10 = 0xFEFF, +# DTLSv11 does not exist. + DTLSv12 = 0xFEFD }; enum SSLExtensions { diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index a90bd03868..7f9799e0bc 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -42,10 +42,8 @@ refine casetype PlaintextRecord += { V2_SERVER_HELLO -> v2_server_hello : V2ServerHello(rec); }; +# Handshakes are parsed by the handshake analyzer. type Handshake(rec: SSLRecord) = record { -# msg_type: uint8; -# length: uint24; -# data: bytestring &length=to_int()(length); data: bytestring &restofdata; }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 296df5fb9d..b24352d099 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -6,6 +6,7 @@ enum HandshakeType { HELLO_REQUEST = 0, CLIENT_HELLO = 1, SERVER_HELLO = 2, + HELLO_VERIFY_REQUEST = 3, # DTLS SESSION_TICKET = 4, # RFC 5077 CERTIFICATE = 11, SERVER_KEY_EXCHANGE = 12, @@ -30,20 +31,21 @@ type HandshakeRecord(is_orig: bool) = record { } &length=(to_int()(msg_length) + 4); type Handshake(rec: HandshakeRecord) = case rec.msg_type of { - HELLO_REQUEST -> hello_request : HelloRequest(rec); - CLIENT_HELLO -> client_hello : ClientHello(rec); - SERVER_HELLO -> server_hello : ServerHello(rec); - SESSION_TICKET -> session_ticket : SessionTicketHandshake(rec); - CERTIFICATE -> certificate : Certificate(rec); - SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec); - CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec); - SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(rec); - CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(rec); - CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec); - FINISHED -> finished : Finished(rec); - CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; - CERTIFICATE_STATUS -> certificate_status : CertificateStatus(rec); - default -> unknown_handshake : UnknownHandshake(rec, rec.is_orig); + HELLO_REQUEST -> hello_request : HelloRequest(rec); + CLIENT_HELLO -> client_hello : ClientHello(rec); + SERVER_HELLO -> server_hello : ServerHello(rec); + HELLO_VERIFY_REQUEST -> hello_verify_request : HelloVerifyRequest(rec); + SESSION_TICKET -> session_ticket : SessionTicketHandshake(rec); + CERTIFICATE -> certificate : Certificate(rec); + SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec); + CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec); + SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(rec); + CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(rec); + CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec); + FINISHED -> finished : Finished(rec); + CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; + CERTIFICATE_STATUS -> certificate_status : CertificateStatus(rec); + default -> unknown_handshake : UnknownHandshake(rec, rec.is_orig); } type HandshakePDU(is_orig: bool) = record { @@ -72,6 +74,10 @@ type ClientHello(rec: HandshakeRecord) = record { random_bytes : bytestring &length = 28; session_len : uint8; session_id : uint8[session_len]; + dtls_cookie: case client_version of { + DTLSv10 -> cookie: ClientHelloCookie(rec); + default -> nothing: bytestring &length=0; + }; csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0); csuits : uint16[csuit_len/2]; cmeth_len : uint8 &check(cmeth_len > 0); @@ -82,6 +88,11 @@ type ClientHello(rec: HandshakeRecord) = record { extensions : SSLExtension(rec)[] &until($input.length() == 0); }; +type ClientHelloCookie(rec: HandshakeRecord) = record { + cookie_len : uint8; + cookie : bytestring &length = cookie_len; +}; + ###################################################################### # V3 Server Hello (7.4.1.3.) ###################################################################### @@ -103,6 +114,16 @@ type ServerHello(rec: HandshakeRecord) = record { $context.connection.set_cipher(cipher_suite[0]); }; +###################################################################### +# DTLS Hello Verify Request +###################################################################### + +type HelloVerifyRequest(rec: HandshakeRecord) = record { + version: uint16; + cookie_length: uint8; + cookie: bytestring &length=cookie_length; +}; + ###################################################################### # V3 Server Certificate (7.4.2.) ###################################################################### diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log new file mode 100644 index 0000000000..cd9d04e020 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-12-22-40-14 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1425932016.520157 CXWv6p3arKYeMETxOg 192.168.6.86 63721 104.236.167.107 4433 DTLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FZi2Ct2AcCswhiIjKe (empty) CN=bro CN=bro - - +#close 2015-03-12-22-40-14 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log new file mode 100644 index 0000000000..290c5bfb49 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2015-03-12-22-40-14 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1425932016.611299 FZi2Ct2AcCswhiIjKe 3 E8E48E456C32945F CN=bro CN=bro 1425931873.000000 1457467873.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - +#close 2015-03-12-22-40-14 diff --git a/testing/btest/scripts/base/protocols/ssl/dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls.test new file mode 100644 index 0000000000..46b74d2b78 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/dtls.test @@ -0,0 +1,5 @@ +# This tests a normal SSL connection and the log it outputs. + +# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log