From 95f15654986918d43eb77c4eb36d61c2bf048ea3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 1 Feb 2022 16:48:57 +0000 Subject: [PATCH] Match DPD TLS signature on one-sided connections. This commit changes DPD matching for TLS connections. A one-sided match is enough to enable DPD now. This commit also removes DPD for SSLv2 connections. SSLv2 connections do basically no longer happen in the wild. SSLv2 is also really finnicky to identify correctly - there is very little data required to match it, and basically all matches today will be false positives. If DPD for SSLv2 is still desired, the optional signature in policy/protocols/ssl/dpd-v2.sig can be loaded. Fixes GH-1952 --- scripts/base/protocols/ssl/dpd.sig | 16 ++++++++-------- scripts/policy/protocols/ssl/dpd-v2.sig | 17 +++++++++++++++++ .../btest/scripts/base/protocols/ssl/dpd.test | 1 + .../external/commit-hash.zeek-testing-private | 2 +- 4 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 scripts/policy/protocols/ssl/dpd-v2.sig diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig index 1b8cad2f76..2603441d9a 100644 --- a/scripts/base/protocols/ssl/dpd.sig +++ b/scripts/base/protocols/ssl/dpd.sig @@ -1,17 +1,17 @@ -signature dpd_ssl_server { +signature dpd_tls_server { ip-proto == tcp - # Server hello. - payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/ - requires-reverse-signature dpd_ssl_client - enable "ssl" + # SSL3 / TLS Server hello. + payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/ tcp-state responder + enable "ssl" } -signature dpd_ssl_client { +signature dpd_tls_client { ip-proto == tcp - # Client hello. - payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/ + # SSL3 / TLS Client hello. + payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/ tcp-state originator + enable "ssl" } signature dpd_dtls_client { diff --git a/scripts/policy/protocols/ssl/dpd-v2.sig b/scripts/policy/protocols/ssl/dpd-v2.sig new file mode 100644 index 0000000000..66f44441c6 --- /dev/null +++ b/scripts/policy/protocols/ssl/dpd-v2.sig @@ -0,0 +1,17 @@ +# This signature can be used to enable DPD for SSL version 2. +# Note that SSLv2 is basically unused by now. Due to the structure of the protocol, it also is sometimes +# hard to disambiguate it from random noise - so you will probably always get a few false positives. + +signature dpd_ssl_server { + ip-proto == tcp + payload /^...?\x04..\x00\x02.*/ + requires-reverse-signature dpd_ssl_client + tcp-state responder + enable "ssl" +} + +signature dpd_ssl_client { + ip-proto == tcp + payload /^...?\x01[\x00\x03][\x00\x01\x02\x03\x04].*/ + tcp-state originator +} diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test index f7f76a6e1a..4a23aeb0d2 100644 --- a/testing/btest/scripts/base/protocols/ssl/dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dpd.test @@ -8,6 +8,7 @@ @load base/frameworks/dpd @load base/frameworks/signatures @load-sigs base/protocols/ssl/dpd.sig +@load-sigs policy/protocols/ssl/dpd-v2.sig event zeek_init() { diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 78c1099b34..5b4873bfd1 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -7c40cc2c3709fc54e5c75c119d1d01ed8a3ceb93 +76b3112a06ff6c1b25c2aedcfe1828bf0b82d7bf