From c05e07cc9099a922eedda3b05a37a1b8cc7c3588 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 3 Feb 2017 12:27:40 -0800 Subject: [PATCH] Add record layer version to event ssl_encrypted_data. This exposes the record layer version of the fragment in addition to the content type and the length. The ordering of the arguments in the event is the same as the ordering in the protocol message (first type, then version, then length). This also includes a slight change to the analyzer, no longer calling the generate function if the event is not used. --- scripts/policy/protocols/ssl/heartbleed.bro | 2 +- src/analyzer/protocol/ssl/dtls-protocol.pac | 3 +- src/analyzer/protocol/ssl/events.bif | 8 ++- .../protocol/ssl/ssl-dtls-analyzer.pac | 5 +- src/analyzer/protocol/ssl/ssl-protocol.pac | 10 ++- .../.stdout | 70 +++++++++---------- .../scripts.base.protocols.ssl.tls13/.stdout | 10 +++ .../base/protocols/ssl/handshake-events.test | 4 +- .../scripts/base/protocols/ssl/tls13.test | 6 +- 9 files changed, 71 insertions(+), 47 deletions(-) diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro index 783961bef2..e94451d6eb 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.bro @@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) } } -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) { if ( !c?$ssl ) return; diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 6faa191d18..771aa267b3 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -18,10 +18,11 @@ type SSLRecord(is_orig: bool) = record { cont: case valid of { true -> rec: RecordText(this)[] &length=length; false -> swallow: bytestring &restofdata; - }; + } &requires(valid,raw_tls_version); } &byteorder = bigendian, &let { # Do not parse body if packet version invalid valid: bool = $context.connection.dtls_version_ok(version); + raw_tls_version: uint16 = version; }; type RecordText(rec: SSLRecord) = case rec.epoch of { diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index a3b77e622d..8810896f49 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -336,13 +336,17 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%); ## ## is_orig: True if event is raised for originator side of the connection. ## -## content_type: message type as reported by TLS session layer. +## content_type: message type as reported by TLS session layer. Not populated for +## SSLv2 +## +## record_version: TLS version given in the record layer of the message. +## this will not be set for SSLv2. ## ## length: length of the entire heartbeat message. ## ## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat -event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%); +event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%); ## This event contains the OCSP response contained in a Certificate Status Request ## message, when the client requested OCSP stapling and the server supports it. diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index fdf884e054..97cea65cae 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -54,8 +54,9 @@ refine connection SSL_Conn += { bro_analyzer()->Conn()); } - BifEvent::generate_ssl_encrypted_data(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length}); + if ( ssl_encrypted_data ) + BifEvent::generate_ssl_encrypted_data(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length}); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 7f9799e0bc..a2ba11fd26 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -8,16 +8,22 @@ type SSLRecord(is_orig: bool) = record { head2 : uint8; head3 : uint8; head4 : uint8; - rec : RecordText(this)[] &length=length, &requires(content_type); + rec : RecordText(this)[] &length=length, &requires(version,content_type,raw_tls_version); } &length = length+5, &byteorder=bigendian, &let { version : int = $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig); + # unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2 + raw_tls_version: int = case version of { + SSLv20 -> 0; + default -> (head1<<8) | head2; + } &requires(version); + content_type : int = case version of { SSLv20 -> head2+300; default -> head0; - }; + } &requires(version); length : int = case version of { # fail analyzer if the packet cannot be recognized as TLS. diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout index c7e3a43cbe..ca3f96ef96 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout @@ -5,41 +5,41 @@ Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199 Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0 Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66 CCS, 192.168.1.105, 74.125.224.79, T -Encrypted data, 192.168.1.105, 74.125.224.79, T, 22, 72 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 48 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 387 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 72 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 48 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 387 Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170 CCS, 192.168.1.105, 74.125.224.79, F Established, 192.168.1.105, 74.125.224.79 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 22, 36 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 40 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 248 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 161 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 33 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 148 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 46 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 135 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 59 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 245 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 92 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 75 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 -Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32 -Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 36 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 40 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 248 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 161 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 33 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 148 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 46 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 135 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 59 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 245 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 92 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 75 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28 +Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32 +Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout index 452071b452..26e2572129 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout @@ -15,6 +15,10 @@ x25519 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F x25519 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp] +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T x25519 secp256r1 @@ -32,3 +36,9 @@ secp384r1 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F secp384r1 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp] +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23 +encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23 diff --git a/testing/btest/scripts/base/protocols/ssl/handshake-events.test b/testing/btest/scripts/base/protocols/ssl/handshake-events.test index 0dd8725b11..969733b218 100644 --- a/testing/btest/scripts/base/protocols/ssl/handshake-events.test +++ b/testing/btest/scripts/base/protocols/ssl/handshake-events.test @@ -22,7 +22,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) print "CCS", c$id$orig_h, c$id$resp_h, is_orig; } -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) { - print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, content_type, length; + print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; } diff --git a/testing/btest/scripts/base/protocols/ssl/tls13.test b/testing/btest/scripts/base/protocols/ssl/tls13.test index 142d9ec699..e19a33edbd 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13.test @@ -9,6 +9,8 @@ # @TEST-EXEC: btest-diff ssl-out.log # @TEST-EXEC: btest-diff .stdout +redef SSL::disable_analyzer_after_detection=F; + event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) { print "key_share", c$id, is_orig; @@ -23,7 +25,7 @@ event ssl_established(c: connection) print "established", c$id; } -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) { - print "encrypted", c$id, is_orig, content_type; + print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; }