Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Spicy TLS analyzer: basic functionality working

Browse source 
It compiles, it creates some log - but it is not anywhere near on par
with the old SSL analyzer.
This commit is contained in:
Johanna Amann 2023-04-05 15:39:54 +01:00
parent 71cd4b2cf4
commit b510b0d8d1
5 changed files with 223 additions and 203 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/ssl/dpd.sig
View file

@ -3,7 +3,7 @@ signature dpd_tls_server {
# SSL3 / TLS Server hello. # SSL3 / TLS Server hello.
payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/ payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/
tcp-state responder tcp-state responder
enable "ssl" enable "tls"
} }
signature dpd_tls_client { signature dpd_tls_client {
@ -11,12 +11,12 @@ signature dpd_tls_client {
# SSL3 / TLS Client hello. # SSL3 / TLS Client hello.
payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/ payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/
tcp-state originator tcp-state originator
enable "ssl" enable "tls"
} }
signature dpd_dtls_client { # signature dpd_dtls_client {
ip-proto == udp # ip-proto == udp
# Client hello. # # Client hello.
payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/ # payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/
enable "dtls" # enable "dtls"
} # }

1
src/analyzer/protocol/tls/CMakeLists.txt
View file

@ -4,5 +4,4 @@ spicy_add_analyzer(
SOURCES SOURCES
TLS.spicy TLS.spicy
TLS.evt TLS.evt
zeek_TLS.spicy
) )

130
src/analyzer/protocol/tls/TLS.evt
View file

@ -2,72 +2,74 @@ protocol analyzer TLS over TCP:
parse with TLS::Message, parse with TLS::Message,
port 443/tcp; port 443/tcp;
import Zeek_TLS; import TLS;
import zeek;
import spicy;
on TLS::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods); on TLS::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
on TLS::ServerHello -> event ssl_server_hello($conn, self.server_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suite, self.compression_method); on TLS::ServerHello -> event ssl_server_hello($conn, self.server_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
# on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, $is_orig, self.elliptic_curve_list); on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, $is_orig, self.elliptic_curve_list);
#
# on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, $is_orig, self.ec_point_format_list); on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, $is_orig, self.ec_point_format_list);
#
# on TLS::ServerNameList -> event ssl_extension_server_name($conn, $is_orig, Zeek_TLS::convert_server_names(self)); on TLS::ServerNameList -> event ssl_extension_server_name($conn, $is_orig, TLS::convert_server_names(self));
#
# on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket); on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
#
# on TLS::RecordFragment::ccs -> event ssl_change_cipher_spec($conn, $is_orig); on TLS::RecordFragment::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
#
# on TLS::RecordFragment::ccs if ( msg.context().ccs_seen == 2 ) -> event ssl_established($conn); on TLS::RecordFragment::ccs if ( msg.context().ccs_seen == 2 ) -> event ssl_established($conn);
#
# on TLS::Handshake_message -> event ssl_handshake_message($conn, $is_orig, self.msg_type, self.length); on TLS::Handshake_message -> event ssl_handshake_message($conn, $is_orig, self.msg_type, self.length);
#
# on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, $is_orig, Zeek_TLS::convert_signature_algorithms(self)); on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, $is_orig, TLS::convert_signature_algorithms(self));
#
# on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.keyshare.namedgroup,)); on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.keyshare.namedgroup,));
#
# on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.namedgroup,)); on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.namedgroup,));
#
# on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, Zeek_TLS::convert_clienthellokeyshare(self)); on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, TLS::convert_clienthellokeyshare(self));
#
# on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, $is_orig, Zeek_TLS::convert_identities(self.identities), Zeek_TLS::convert_binders(self.binders)); on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, $is_orig, TLS::convert_identities(self.identities), TLS::convert_binders(self.binders));
#
# on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, $is_orig, self.selected_identity); on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, $is_orig, self.selected_identity);
#
# on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point); on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
#
# on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys); on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
#
# on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys); on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
#
# on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature); on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
#
# # just use nonsense values for no algorithm. Same as in the old analyzer # just use nonsense values for no algorithm. Same as in the old analyzer
# on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature); on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
#
# on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point); on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
#
# on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc); on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
#
# on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms); on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
#
# on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, $is_orig, Zeek_TLS::convert_protocol_name_list(self)); on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, $is_orig, TLS::convert_protocol_name_list(self));
#
# on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, $is_orig, self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature); on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, $is_orig, self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
#
# on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, $is_orig, self.versions); on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, $is_orig, self.versions);
#
# on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, $is_orig, vector<uint16>(self.version,)); on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, $is_orig, vector<uint16>(self.version,));
#
# on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, $is_orig, self.modes); on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, $is_orig, self.modes);
#
# on TLS::Alert_message -> event ssl_alert($conn, $is_orig, self.level, self.description); on TLS::Alert_message -> event ssl_alert($conn, $is_orig, self.level, self.description);
#
# on TLS::Heartbeat -> event ssl_heartbeat($conn, $is_orig, length, self.tpe, self.payload_length, self.data); on TLS::Heartbeat -> event ssl_heartbeat($conn, $is_orig, length, self.tpe, self.payload_length, self.data);
#
# on TLS::RecordFragment::appdata if ( msg.encrypted == False ) -> event ssl_plaintext_data($conn, $is_orig, self.version, self.content_type, self.length); on TLS::RecordFragment::appdata if ( msg.encrypted == False ) -> event ssl_plaintext_data($conn, $is_orig, self.version, self.content_type, self.length);
#
# on TLS::RecordFragment::appdata if ( msg.encrypted == True ) -> event ssl_encrypted_data($conn, $is_orig, self.version, self.content_type, self.length); on TLS::RecordFragment::appdata if ( msg.encrypted == True ) -> event ssl_encrypted_data($conn, $is_orig, self.version, self.content_type, self.length);
#
# on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response); on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
#

196
src/analyzer/protocol/tls/TLS.spicy
View file

@ -14,6 +14,7 @@ type HandshakeType = enum {
hello_request = 0, hello_request = 0,
client_hello = 1, client_hello = 1,
server_hello = 2, server_hello = 2,
hello_verify_request = 3, #DTLS
NewSessionTicket = 4, NewSessionTicket = 4,
certificate = 11, certificate = 11,
server_key_exchange = 12, server_key_exchange = 12,
@ -22,7 +23,8 @@ type HandshakeType = enum {
certificate_verify = 15, certificate_verify = 15,
client_key_exchange = 16, client_key_exchange = 16,
finished = 20, finished = 20,
certificate_status = 22 certificate_url = 21, # RFC 3546
certificate_status = 22 # RFC 3546
}; };
type Extensions = enum { type Extensions = enum {
@ -515,9 +517,22 @@ type TLSCiphers = enum {
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF,
# draft-agl-tls-chacha20poly1305-02 # draft-agl-tls-chacha20poly1305-02
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC13,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC14,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC15,
# RFC 7905
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAA,
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAB,
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC,
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD,
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE,
# draft-ietf-tls-ecdhe-psk-aead-05
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001,
TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = 0xD002,
TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003,
TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD004
}; };
type Share = unit { type Share = unit {
@ -555,6 +570,7 @@ type RecordFragment = unit(handshakesink: sink, alertsink: sink, inout msg: Mess
ContentType::application_data -> appdata : bytes &size=self.length; ContentType::application_data -> appdata : bytes &size=self.length;
ContentType::change_cipher_spec -> ccs : bytes &size=self.length; ContentType::change_cipher_spec -> ccs : bytes &size=self.length;
ContentType::heartbeat -> hn: Heartbeat(self.length); ContentType::heartbeat -> hn: Heartbeat(self.length);
ContentType::alert -> :bytes &size=self.length -> alertsink;
* -> unhandled : bytes &size=self.length; * -> unhandled : bytes &size=self.length;
}; };
@ -612,9 +628,10 @@ type Handshake_message = unit(inout msg: Message) {
HandshakeType::client_hello -> client_hello: ClientHello(self.length, msg); HandshakeType::client_hello -> client_hello: ClientHello(self.length, msg);
HandshakeType::server_hello_done, HandshakeType::server_hello_done,
HandshakeType::hello_request -> : bytes &size=self.length; # Fixme: alert if length != 0 HandshakeType::hello_request -> : bytes &size=self.length; # Fixme: alert if length != 0
HandshakeType::hello_verify_request -> hello_verify_request: HelloVerifyRequest;
HandshakeType::server_hello -> server_hello: ServerHello(self.length, msg); HandshakeType::server_hello -> server_hello: ServerHello(self.length, msg);
HandshakeType::certificate -> certificate: Certificate; HandshakeType::certificate -> certificate: Certificate;
# HandshakeType::certificate_request -> certificate_request: CertificateRequest(version); HandshakeType::certificate_request -> certificate_request: CertificateRequest(msg);
HandshakeType::certificate_verify -> : bytes &size=self.length; # opaque encrypted data HandshakeType::certificate_verify -> : bytes &size=self.length; # opaque encrypted data
HandshakeType::client_key_exchange -> client_key_exchange: ClientKeyExchange(msg, self.length); HandshakeType::client_key_exchange -> client_key_exchange: ClientKeyExchange(msg, self.length);
HandshakeType::server_key_exchange -> server_key_exchange: ServerKeyExchange(msg, self.length); HandshakeType::server_key_exchange -> server_key_exchange: ServerKeyExchange(msg, self.length);
@ -634,6 +651,28 @@ type Handshake_message = unit(inout msg: Message) {
} }
}; };
type CertificateRequest = unit(msg: Message) {
certificate_types_len: uint8;
certificate_types: uint8[self.certificate_types_len];
switch ( uses_signature_and_hashalgorithm(msg) ) {
True -> supported_signature_algorithms: SignatureAlgorithms;
False -> : bytes &size=0;
};
certificate_authorities_len: uint16;
certificate_authorities: CertificateAuthority[] &size=self.certificate_authorities_len;
};
type CertificateAuthority = unit {
certificate_authority_len: uint16;
certificate_authority: bytes &size=self.certificate_authority_len;
};
type HelloVerifyRequest = unit {
version: uint16;
cookie_length: uint8;
cookie: bytes &size=self.cookie_length;
};
type CertificateStatus = unit { type CertificateStatus = unit {
status_type: uint8; status_type: uint8;
length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network); length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network);
@ -940,8 +979,14 @@ type ServerKeyExchange = unit(msg: Message, len: uint64) {
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
-> ecdhe_server_key_exchange : EcdheServerKeyExchange(len, msg); -> ecdhe_server_key_exchange : EcdheServerKeyExchange(len, msg);
# ECDH-anon suites # ECDH-anon suites
@ -1029,7 +1074,9 @@ type ServerKeyExchange = unit(msg: Message, len: uint64) {
TLSCiphers::TLS_DHE_PSK_WITH_AES_256_CCM, TLSCiphers::TLS_DHE_PSK_WITH_AES_256_CCM,
TLSCiphers::TLS_PSK_DHE_WITH_AES_128_CCM_8, TLSCiphers::TLS_PSK_DHE_WITH_AES_128_CCM_8,
TLSCiphers::TLS_PSK_DHE_WITH_AES_256_CCM_8, TLSCiphers::TLS_PSK_DHE_WITH_AES_256_CCM_8,
TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLSCiphers::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
-> dhe_server_key_exchange : DheServerKeyExchange(msg); -> dhe_server_key_exchange : DheServerKeyExchange(msg);
# DH-anon suites # DH-anon suites
@ -1203,47 +1250,24 @@ type ClientKeyExchange = unit(msg: Message, len: uint64) {
-> rsa_client_key_exchange: RsaClientKeyExchange(len); -> rsa_client_key_exchange: RsaClientKeyExchange(len);
#ECHDE #ECHDE
TLSCiphers::TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLSCiphers::TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLSCiphers::TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLSCiphers::TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLSCiphers::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLSCiphers::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLSCiphers::TLS_ECDH_RSA_WITH_NULL_SHA,
TLSCiphers::TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLSCiphers::TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLSCiphers::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLSCiphers::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLSCiphers::TLS_ECDHE_RSA_WITH_NULL_SHA, TLSCiphers::TLS_ECDHE_RSA_WITH_NULL_SHA,
TLSCiphers::TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLSCiphers::TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLSCiphers::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLSCiphers::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLSCiphers::TLS_ECDH_ANON_WITH_NULL_SHA,
TLSCiphers::TLS_ECDH_ANON_WITH_RC4_128_SHA,
TLSCiphers::TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
TLSCiphers::TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
TLSCiphers::TLS_ECDH_ANON_WITH_AES_256_CBC_SHA,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLSCiphers::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLSCiphers::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLSCiphers::TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLSCiphers::TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_PSK_WITH_RC4_128_SHA, TLSCiphers::TLS_ECDHE_PSK_WITH_RC4_128_SHA,
TLSCiphers::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, TLSCiphers::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
@ -1255,46 +1279,36 @@ type ClientKeyExchange = unit(msg: Message, len: uint64) {
TLSCiphers::TLS_ECDHE_PSK_WITH_NULL_SHA384, TLSCiphers::TLS_ECDHE_PSK_WITH_NULL_SHA384,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLSCiphers::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLSCiphers::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256,
TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
-> ecdh_client_key_exchange : EcdhClientKeyExchange(len); -> ecdh_client_key_exchange : EcdhClientKeyExchange(len);
# DHE suites # DHE suites
@ -1373,7 +1387,9 @@ type ClientKeyExchange = unit(msg: Message, len: uint64) {
TLSCiphers::TLS_DHE_PSK_WITH_AES_256_CCM, TLSCiphers::TLS_DHE_PSK_WITH_AES_256_CCM,
TLSCiphers::TLS_PSK_DHE_WITH_AES_128_CCM_8, TLSCiphers::TLS_PSK_DHE_WITH_AES_128_CCM_8,
TLSCiphers::TLS_PSK_DHE_WITH_AES_256_CCM_8, TLSCiphers::TLS_PSK_DHE_WITH_AES_256_CCM_8,
TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLSCiphers::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
# DH-anon suites # DH-anon suites
TLSCiphers::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, TLSCiphers::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
TLSCiphers::TLS_DH_ANON_WITH_RC4_128_MD5, TLSCiphers::TLS_DH_ANON_WITH_RC4_128_MD5,
@ -1432,3 +1448,89 @@ type SingleCertificate = unit {
length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network); length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network);
cert: bytes &size=self.length; # certificates, forward to whatever cert: bytes &size=self.length; # certificates, forward to whatever
}; };
# Conversion and Zeek related functions
import zeek;
public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
local out: vector<bytes>;
for ( i in snl.server_name_list )
out.push_back(i.host_name);
return out;
}
public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
local out: vector<tuple<uint8, uint8>>;
for ( i in sa.supported_signature_algorithms )
out.push_back(tuple(i.hash, i.signature));
return out;
}
public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
local out: vector<uint16>;
for ( i in ks.keyshares )
out.push_back(i.namedgroup);
return out;
}
public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
local out: vector<bytes>;
for ( i in bi.binders )
out.push_back(i.binder);
return out;
}
public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
local out: vector<tuple<bytes, uint32>>;
for ( i in id.identities )
out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
return out;
}
public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
local out: vector<bytes>;
for ( i in pns.protocol_name_list )
out.push_back(i.name);
return out;
}
on TLS::ClientHello::%done {
spicy::accept_input();
}
on TLS::ClientHello::%error {
spicy::decline_input("error while parsing TLS client hello");
}
on TLS::ServerHello::%done {
spicy::accept_input();
}
on TLS::ServerHello::%error {
spicy::decline_input("error while parsing TLS server hello");
}
on TLS::Certificate::%done {
local first: bool = True;
for ( i in self.certificate_list )
{
if ( first )
zeek::file_begin("application/x-x509-user-cert");
else
zeek::file_begin("application/x-x509-ca-cert");
zeek::file_data_in(i.cert);
zeek::file_end();
first = False;
}
}

83
src/analyzer/protocol/tls/zeek_TLS.spicy
View file

@ -1,83 +0,0 @@
module Zeek_TLS;
import TLS;
import zeek;
public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
local out: vector<bytes>;
for ( i in snl.server_name_list )
out.push_back(i.host_name);
return out;
}
public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
local out: vector<tuple<uint8, uint8>>;
for ( i in sa.supported_signature_algorithms )
out.push_back(tuple(i.hash, i.signature));
return out;
}
public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
local out: vector<uint16>;
for ( i in ks.keyshares )
out.push_back(i.namedgroup);
return out;
}
public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
local out: vector<bytes>;
for ( i in bi.binders )
out.push_back(i.binder);
return out;
}
public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
local out: vector<tuple<bytes, uint32>>;
for ( i in id.identities )
out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
return out;
}
public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
local out: vector<bytes>;
for ( i in pns.protocol_name_list )
out.push_back(i.name);
return out;
}
on TLS::ClientHello::%done {
zeek::confirm_protocol();
}
# on TLS::ClientHello::%error {
# zeek::reject_protocol("error while parsing TLS client hello");
# }
#
# on TLS::ServerHello::%done {
# zeek::confirm_protocol();
# }
#
# on TLS::ServerHello::%error {
# zeek::reject_protocol("error while parsing TLS server hello");
# }
#
# on TLS::Certificate::%done {
# local first: bool = True;
# for ( i in self.certificate_list )
# {
# if ( first )
# zeek::file_begin("application/x-x509-user-cert");
# else
# zeek::file_begin("application/x-x509-ca-cert");
# zeek::file_data_in(i.cert);
# zeek::file_end();
# first = False;
# }
# }