Merge remote-tracking branch 'origin/topic/johanna/gh-1952'

* origin/topic/johanna/gh-1952:
  Match DPD TLS signature on one-sided connections.

Fixes GH-1952

CHANGES

@@ -1,3 +1,17 @@
+5.0.0-dev.77 | 2022-02-03 11:20:16 +0000
+
+  * Match DPD TLS signature on one-sided connections. (Johanna Amann, Corelight)
+
+    This commit changes DPD matching for TLS connections. A one-sided match
+    is enough to enable DPD now.
+
+    This commit also removes DPD for SSLv2 connections. SSLv2 connections do
+    basically no longer happen in the wild. SSLv2 is also really finnicky to
+    identify correctly - there is very little data required to match it, and
+    basically all matches today will be false positives. If DPD for SSLv2 is
+    still desired, the optional signature in policy/protocols/ssl/dpd-v2.sig
+    can be loaded.
+
 5.0.0-dev.74 | 2022-02-02 09:46:00 +0100
 
   * GH-1890: Consistently warn about mixing vector and scalar operand

NEWS

@@ -32,6 +32,15 @@ Breaking Changes
   changes to return types from a number of methods. With this change, any uses
   of the `zeek::*::Tag` types will need to be replaced by `zeek::Tag`.
 
+- The DPD signature for SSL version 2 is no longer enabled by default. SSLv2
+  is basically extinct nowadays - and the protocol has a relatively high probability
+  of matching with random traffic and being misidentified. If you want to enable
+  the SSLv2 dpd signature, you can load the signature from `policy/protocols/ssl/dpd-v2.sig`
+
+  The DPD signature for SSL version 3 and up (including TLS 1.0 and above) now matches
+  for one-sided connections and does not require a reverst match anymore. This prevents
+  missed handshakes, where the client handshake contains a lot of data.
+
 New Functionality
 -----------------
 

VERSION

@@ -1 +1 @@
-5.0.0-dev.74
+5.0.0-dev.77

scripts/base/protocols/ssl/dpd.sig

@@ -1,17 +1,17 @@
-signature dpd_ssl_server {
+signature dpd_tls_server {
   ip-proto == tcp
-  # Server hello.
+  # SSL3 / TLS Server hello.
-  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/
+  payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/
-  requires-reverse-signature dpd_ssl_client
-  enable "ssl"
   tcp-state responder
+  enable "ssl"
 }
 
-signature dpd_ssl_client {
+signature dpd_tls_client {
   ip-proto == tcp
-  # Client hello.
+  # SSL3 / TLS Client hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/
+  payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/
   tcp-state originator
+  enable "ssl"
 }
 
 signature dpd_dtls_client {

scripts/policy/protocols/ssl/dpd-v2.sig

@@ -0,0 +1,17 @@
+# This signature can be used to enable DPD for SSL version 2.
+# Note that SSLv2 is basically unused by now. Due to the structure of the protocol, it also is sometimes
+# hard to disambiguate it from random noise - so you will probably always get a few false positives.
+
+signature dpd_ssl_server {
+	ip-proto == tcp
+	payload /^...?\x04..\x00\x02.*/
+	requires-reverse-signature dpd_ssl_client
+	tcp-state responder
+	enable "ssl"
+}
+
+signature dpd_ssl_client {
+	ip-proto == tcp
+	payload /^...?\x01[\x00\x03][\x00\x01\x02\x03\x04].*/
+	tcp-state originator
+}

testing/btest/scripts/base/protocols/ssl/dpd.test

@@ -8,6 +8,7 @@
 @load base/frameworks/dpd
 @load base/frameworks/signatures
 @load-sigs base/protocols/ssl/dpd.sig
+@load-sigs policy/protocols/ssl/dpd-v2.sig
 
 event zeek_init()
   {

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-7c40cc2c3709fc54e5c75c119d1d01ed8a3ceb93
+c8717246dc49a7dc4f536687b49dc5e0492cf9a0