mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Final touches to SSL events with record layer version.
This commit is contained in:
Johanna Amann
parent
aa2488fb69
commit
b2a0418dc5
24 changed files with 88 additions and 65 deletions
|
|
@ -200,7 +200,7 @@ function finish(c: connection, remove_analyzer: bool)
|
|||
}
|
||||
}
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
|
|
@ -212,7 +212,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_
|
|||
}
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
|
||||
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
|
|
@ -351,7 +351,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
|
|||
}
|
||||
}
|
||||
|
||||
event ssl_plaintext_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) &priority=5
|
||||
event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
|
|
|
|||
|
|
@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
}
|
||||
}
|
||||
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
|
||||
{
|
||||
if ( !c?$ssl )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ event ssl_established(c: connection) &priority=3
|
|||
}
|
||||
|
||||
# Check for old SSL versions and weak connection keys
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=3
|
||||
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=3
|
||||
{
|
||||
if ( ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -51,8 +51,9 @@ void DTLS_Analyzer::EndOfData(bool is_orig)
|
|||
}
|
||||
|
||||
|
||||
void DTLS_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig)
|
||||
void DTLS_Analyzer::SendHandshake(uint16 raw_tls_version, uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig)
|
||||
{
|
||||
handshake_interp->set_record_version(raw_tls_version);
|
||||
try
|
||||
{
|
||||
handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1);
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ public:
|
|||
uint64 seq, const IP_Hdr* ip, int caplen) override;
|
||||
void EndOfData(bool is_orig) override;
|
||||
|
||||
void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
|
||||
void SendHandshake(uint16 raw_tls_version, uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
|
||||
|
||||
|
||||
static analyzer::Analyzer* Instantiate(Connection* conn)
|
||||
|
|
|
|||
|
|
@ -71,8 +71,9 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
|||
}
|
||||
}
|
||||
|
||||
void SSL_Analyzer::SendHandshake(const u_char* begin, const u_char* end, bool orig)
|
||||
void SSL_Analyzer::SendHandshake(uint16 raw_tls_version, const u_char* begin, const u_char* end, bool orig)
|
||||
{
|
||||
handshake_interp->set_record_version(raw_tls_version);
|
||||
try
|
||||
{
|
||||
handshake_interp->NewData(orig, begin, end);
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ public:
|
|||
void DeliverStream(int len, const u_char* data, bool orig) override;
|
||||
void Undelivered(uint64 seq, int len, bool orig) override;
|
||||
|
||||
void SendHandshake(const u_char* begin, const u_char* end, bool orig);
|
||||
void SendHandshake(uint16 raw_tls_version, const u_char* begin, const u_char* end, bool orig);
|
||||
|
||||
// Tell the analyzer that encryption has started.
|
||||
void StartEncryption();
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ refine connection SSL_Conn += {
|
|||
if ( foffset == 0 && length == flength )
|
||||
{
|
||||
//fprintf(stderr, "Complete fragment, forwarding...\n");
|
||||
bro_analyzer()->SendHandshake(${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig});
|
||||
bro_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig});
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -131,7 +131,7 @@ refine connection SSL_Conn += {
|
|||
if ( ( ~(i->message_sequence_seen) & ( ( 1<<(total_length+1) ) -1 ) ) == 0 )
|
||||
{
|
||||
//fprintf(stderr, "ALl fragments here. Total length %u\n", length);
|
||||
bro_analyzer()->SendHandshake(${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig});
|
||||
bro_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig});
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,11 @@
|
|||
## values are standardized as part of the SSL/TLS protocol. The
|
||||
## :bro:id:`SSL::version_strings` table maps them to descriptive names.
|
||||
##
|
||||
## record_version: TLS version given in the record layer of the message.
|
||||
## Set to 0 for SSLv2.
|
||||
##
|
||||
##
|
||||
##
|
||||
## possible_ts: The current time as sent by the client. Note that SSL/TLS does
|
||||
## not require clocks to be set correctly, so treat with care.
|
||||
##
|
||||
|
|
@ -32,7 +37,7 @@
|
|||
## ssl_change_cipher_spec
|
||||
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||
## ssl_rsa_client_pms
|
||||
event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
|
||||
event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
|
||||
|
||||
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
|
||||
## start with an unencrypted handshake, and Bro extracts as much information out
|
||||
|
|
@ -48,6 +53,9 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
|
|||
## The values are standardized as part of the SSL/TLS protocol. The
|
||||
## :bro:id:`SSL::version_strings` table maps them to descriptive names.
|
||||
##
|
||||
## record_version: TLS version given in the record layer of the message.
|
||||
## Set to 0 for SSLv2.
|
||||
##
|
||||
## possible_ts: The current time as sent by the server. Note that SSL/TLS does
|
||||
## not require clocks to be set correctly, so treat with care. This value
|
||||
## is not sent in TLSv1.3.
|
||||
|
|
@ -71,7 +79,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
|
|||
## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
|
||||
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
|
||||
## ssl_rsa_client_pms
|
||||
event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
|
||||
event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
|
||||
|
||||
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
|
||||
## sessions start with an unencrypted handshake, and Bro extracts as much
|
||||
|
|
@ -490,17 +498,17 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
|
|||
##
|
||||
## is_orig: True if event is raised for originator side of the connection.
|
||||
##
|
||||
## record_version: TLS version given in the record layer of the message.
|
||||
## Set to 0 for SSLv2.
|
||||
##
|
||||
## content_type: message type as reported by TLS session layer. Not populated for
|
||||
## SSLv2.
|
||||
##
|
||||
## record_version: TLS version given in the record layer of the message.
|
||||
## This will not be set for SSLv2.
|
||||
##
|
||||
## length: length of the entire message.
|
||||
##
|
||||
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
|
||||
## ssl_alert ssl_heartbeat
|
||||
event ssl_plaintext_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%);
|
||||
event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
|
||||
|
||||
## Generated for SSL/TLS messages that are sent after session encryption
|
||||
## started.
|
||||
|
|
@ -512,17 +520,17 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, content_type: count, rec
|
|||
##
|
||||
## is_orig: True if event is raised for originator side of the connection.
|
||||
##
|
||||
## record_version: TLS version given in the record layer of the message.
|
||||
## Set to 0 for SSLv2.
|
||||
##
|
||||
## content_type: message type as reported by TLS session layer. Not populated for
|
||||
## SSLv2.
|
||||
##
|
||||
## record_version: TLS version given in the record layer of the message.
|
||||
## This will not be set for SSLv2.
|
||||
##
|
||||
## length: length of the entire message.
|
||||
##
|
||||
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
|
||||
## ssl_alert ssl_heartbeat
|
||||
event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%);
|
||||
event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
|
||||
|
||||
## This event contains the OCSP response contained in a Certificate Status Request
|
||||
## message, when the client requested OCSP stapling and the server supports it.
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@
|
|||
}
|
||||
|
||||
BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
version, ts, new StringVal(client_random.length(),
|
||||
version, record_version(), ts, new StringVal(client_random.length(),
|
||||
(const char*) client_random.data()),
|
||||
to_string_val(session_id),
|
||||
cipher_vec, comp_vec);
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
|
||||
BifEvent::generate_ssl_server_hello(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
version, ts, new StringVal(server_random.length(),
|
||||
version, record_version(), ts, new StringVal(server_random.length(),
|
||||
(const char*) server_random.data()),
|
||||
to_string_val(session_id),
|
||||
ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ refine connection SSL_Conn += {
|
|||
|
||||
function proc_handshake(rec: SSLRecord, data: bytestring, is_orig: bool) : bool
|
||||
%{
|
||||
bro_analyzer()->SendHandshake(data.begin(), data.end(), is_orig);
|
||||
bro_analyzer()->SendHandshake(${rec.raw_tls_version}, data.begin(), data.end(), is_orig);
|
||||
return true;
|
||||
%}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ refine connection SSL_Conn += {
|
|||
|
||||
if ( ssl_encrypted_data )
|
||||
BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
|
||||
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length});
|
||||
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
|
@ -65,7 +65,7 @@ refine connection SSL_Conn += {
|
|||
%{
|
||||
if ( ssl_plaintext_data )
|
||||
BifEvent::generate_ssl_plaintext_data(bro_analyzer(),
|
||||
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length});
|
||||
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ type SSLRecord(is_orig: bool) = record {
|
|||
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
|
||||
|
||||
# unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2
|
||||
raw_tls_version: int = case version of {
|
||||
raw_tls_version: uint16 = case version of {
|
||||
SSLv20 -> 0;
|
||||
default -> (head1<<8) | head2;
|
||||
} &requires(version);
|
||||
|
|
@ -214,4 +214,6 @@ refine connection SSL_Conn += {
|
|||
return UNKNOWN_VERSION;
|
||||
%}
|
||||
|
||||
function record_version() : uint16 %{ return 0; %}
|
||||
|
||||
};
|
||||
|
|
|
|||
|
|
@ -889,11 +889,13 @@ refine connection Handshake_Conn += {
|
|||
%member{
|
||||
uint32 chosen_cipher_;
|
||||
uint16 chosen_version_;
|
||||
uint16 record_version_;
|
||||
%}
|
||||
|
||||
%init{
|
||||
chosen_cipher_ = NO_CHOSEN_CIPHER;
|
||||
chosen_version_ = UNKNOWN_VERSION;
|
||||
record_version_ = 0;
|
||||
%}
|
||||
|
||||
function chosen_cipher() : int %{ return chosen_cipher_; %}
|
||||
|
|
@ -911,6 +913,13 @@ refine connection Handshake_Conn += {
|
|||
chosen_version_ = version;
|
||||
return true;
|
||||
%}
|
||||
|
||||
function record_version() : uint16 %{ return record_version_; %}
|
||||
|
||||
function set_record_version(version: uint16) : bool
|
||||
%{
|
||||
record_version_ = version;
|
||||
return true;
|
||||
%}
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -3,12 +3,12 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
{
|
||||
print comp_methods;
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
|
||||
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
|
||||
{
|
||||
print comp_method;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ event bro_init()
|
|||
print "Start test run";
|
||||
}
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
|
||||
{
|
||||
print "Client hello", c$id$orig_h, c$id$resp_h, version;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# @TEST-EXEC: touch dpd.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
{
|
||||
print version, client_random, session_id, ciphers;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,12 +22,12 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool)
|
|||
print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
|
||||
}
|
||||
|
||||
event ssl_plaintext_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
||||
event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
|
||||
{
|
||||
print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
|
||||
}
|
||||
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
|
||||
{
|
||||
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ event ssl_established(c: connection) &priority=5
|
|||
c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
|
||||
}
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
c$ssl$client_random = bytestring_to_hexstr(client_random);
|
||||
|
|
@ -79,7 +79,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_
|
|||
c$ssl$client_cipher_suites = ciphers_str;
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
|
||||
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
c$ssl$server_random = bytestring_to_hexstr(server_random);
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
{
|
||||
print fmt("Got %d cipher suites", |ciphers|);
|
||||
for ( i in ciphers )
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
{
|
||||
print client_random;
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
|
||||
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
|
||||
{
|
||||
print server_random;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ event ssl_established(c: connection)
|
|||
print "established", c$id;
|
||||
}
|
||||
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
|
||||
{
|
||||
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue