diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro index 783961bef2..e94451d6eb 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.bro @@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) } } -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) { if ( !c?$ssl ) return; diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 6faa191d18..771aa267b3 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -18,10 +18,11 @@ type SSLRecord(is_orig: bool) = record { cont: case valid of { true -> rec: RecordText(this)[] &length=length; false -> swallow: bytestring &restofdata; - }; + } &requires(valid,raw_tls_version); } &byteorder = bigendian, &let { # Do not parse body if packet version invalid valid: bool = $context.connection.dtls_version_ok(version); + raw_tls_version: uint16 = version; }; type RecordText(rec: SSLRecord) = case rec.epoch of { diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index a3b77e622d..8810896f49 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -336,13 +336,17 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%); ## ## is_orig: True if event is raised for originator side of the connection. ## -## content_type: message type as reported by TLS session layer. +## content_type: message type as reported by TLS session layer. Not populated for +## SSLv2 +## +## record_version: TLS version given in the record layer of the message. +## this will not be set for SSLv2. ## ## length: length of the entire heartbeat message. ## ## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat -event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%); +event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%); ## This event contains the OCSP response contained in a Certificate Status Request ## message, when the client requested OCSP stapling and the server supports it. diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index fdf884e054..97cea65cae 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -54,8 +54,9 @@ refine connection SSL_Conn += { bro_analyzer()->Conn()); } - BifEvent::generate_ssl_encrypted_data(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length}); + if ( ssl_encrypted_data ) + BifEvent::generate_ssl_encrypted_data(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length}); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 7f9799e0bc..a2ba11fd26 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -8,16 +8,22 @@ type SSLRecord(is_orig: bool) = record { head2 : uint8; head3 : uint8; head4 : uint8; - rec : RecordText(this)[] &length=length, &requires(content_type); + rec : RecordText(this)[] &length=length, &requires(version,content_type,raw_tls_version); } &length = length+5, &byteorder=bigendian, &let { version : int = $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig); + # unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2 + raw_tls_version: int = case version of { + SSLv20 -> 0; + default -> (head1<<8) | head2; + } &requires(version); + content_type : int = case version of { SSLv20 -> head2+300; default -> head0; - }; + } &requires(version); length : int = case version of { # fail analyzer if the packet cannot be recognized as TLS. diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout index c7e3a43cbe..ca3f96ef96 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout @@ -5,41 +5,41 @@ Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199 Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0 Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66 CCS, 192.168.1.105, 74.125.224.79, T -Encrypted data, 192.168.1.105, 74.125.224.79, T, 22, 72 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 48 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 387 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 72 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 48 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 387 Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170 CCS, 192.168.1.105, 74.125.224.79, F Established, 192.168.1.105, 74.125.224.79 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 22, 36 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 40 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 248 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 161 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 33 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 148 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 46 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 135 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 59 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 245 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 92 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 75 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 36 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 40 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 248 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 161 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 33 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 148 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 46 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 135 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 59 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 245 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 92 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 75 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout index 452071b452..26e2572129 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout @@ -15,6 +15,10 @@ x25519 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F x25519 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp] +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T x25519 secp256r1 @@ -32,3 +36,9 @@ secp384r1 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F secp384r1 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp] +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 diff --git a/testing/btest/scripts/base/protocols/ssl/handshake-events.test b/testing/btest/scripts/base/protocols/ssl/handshake-events.test index 0dd8725b11..969733b218 100644 --- a/testing/btest/scripts/base/protocols/ssl/handshake-events.test +++ b/testing/btest/scripts/base/protocols/ssl/handshake-events.test @@ -22,7 +22,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) print "CCS", c$id$orig_h, c$id$resp_h, is_orig; } -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) { - print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, content_type, length; + print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; } diff --git a/testing/btest/scripts/base/protocols/ssl/tls13.test b/testing/btest/scripts/base/protocols/ssl/tls13.test index 142d9ec699..e19a33edbd 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13.test @@ -9,6 +9,8 @@ # @TEST-EXEC: btest-diff ssl-out.log # @TEST-EXEC: btest-diff .stdout +redef SSL::disable_analyzer_after_detection=F; + event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) { print "key_share", c$id, is_orig; @@ -23,7 +25,7 @@ event ssl_established(c: connection) print "established", c$id; } -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) { - print "encrypted", c$id, is_orig, content_type; + print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; }