diff --git a/CHANGES b/CHANGES index 3f7d9e3446..33259b312b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,17 @@ +5.0.0-dev.77 | 2022-02-03 11:20:16 +0000 + + * Match DPD TLS signature on one-sided connections. (Johanna Amann, Corelight) + + This commit changes DPD matching for TLS connections. A one-sided match + is enough to enable DPD now. + + This commit also removes DPD for SSLv2 connections. SSLv2 connections do + basically no longer happen in the wild. SSLv2 is also really finnicky to + identify correctly - there is very little data required to match it, and + basically all matches today will be false positives. If DPD for SSLv2 is + still desired, the optional signature in policy/protocols/ssl/dpd-v2.sig + can be loaded. + 5.0.0-dev.74 | 2022-02-02 09:46:00 +0100 * GH-1890: Consistently warn about mixing vector and scalar operand diff --git a/NEWS b/NEWS index 9c5eec6d6f..0acb7f13d0 100644 --- a/NEWS +++ b/NEWS @@ -32,6 +32,15 @@ Breaking Changes changes to return types from a number of methods. With this change, any uses of the `zeek::*::Tag` types will need to be replaced by `zeek::Tag`. +- The DPD signature for SSL version 2 is no longer enabled by default. SSLv2 + is basically extinct nowadays - and the protocol has a relatively high probability + of matching with random traffic and being misidentified. If you want to enable + the SSLv2 dpd signature, you can load the signature from `policy/protocols/ssl/dpd-v2.sig` + + The DPD signature for SSL version 3 and up (including TLS 1.0 and above) now matches + for one-sided connections and does not require a reverst match anymore. This prevents + missed handshakes, where the client handshake contains a lot of data. + New Functionality ----------------- diff --git a/VERSION b/VERSION index 69c7f49ec8..30abd6302c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.0.0-dev.74 +5.0.0-dev.77 diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig index 1b8cad2f76..2603441d9a 100644 --- a/scripts/base/protocols/ssl/dpd.sig +++ b/scripts/base/protocols/ssl/dpd.sig @@ -1,17 +1,17 @@ -signature dpd_ssl_server { +signature dpd_tls_server { ip-proto == tcp - # Server hello. - payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/ - requires-reverse-signature dpd_ssl_client - enable "ssl" + # SSL3 / TLS Server hello. + payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/ tcp-state responder + enable "ssl" } -signature dpd_ssl_client { +signature dpd_tls_client { ip-proto == tcp - # Client hello. - payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/ + # SSL3 / TLS Client hello. + payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/ tcp-state originator + enable "ssl" } signature dpd_dtls_client { diff --git a/scripts/policy/protocols/ssl/dpd-v2.sig b/scripts/policy/protocols/ssl/dpd-v2.sig new file mode 100644 index 0000000000..66f44441c6 --- /dev/null +++ b/scripts/policy/protocols/ssl/dpd-v2.sig @@ -0,0 +1,17 @@ +# This signature can be used to enable DPD for SSL version 2. +# Note that SSLv2 is basically unused by now. Due to the structure of the protocol, it also is sometimes +# hard to disambiguate it from random noise - so you will probably always get a few false positives. + +signature dpd_ssl_server { + ip-proto == tcp + payload /^...?\x04..\x00\x02.*/ + requires-reverse-signature dpd_ssl_client + tcp-state responder + enable "ssl" +} + +signature dpd_ssl_client { + ip-proto == tcp + payload /^...?\x01[\x00\x03][\x00\x01\x02\x03\x04].*/ + tcp-state originator +} diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test index f7f76a6e1a..4a23aeb0d2 100644 --- a/testing/btest/scripts/base/protocols/ssl/dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dpd.test @@ -8,6 +8,7 @@ @load base/frameworks/dpd @load base/frameworks/signatures @load-sigs base/protocols/ssl/dpd.sig +@load-sigs policy/protocols/ssl/dpd-v2.sig event zeek_init() { diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 78c1099b34..3dc8e54252 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -7c40cc2c3709fc54e5c75c119d1d01ed8a3ceb93 +c8717246dc49a7dc4f536687b49dc5e0492cf9a0