Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 20:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add record layer version to event ssl_encrypted_data.

Browse source 
This exposes the record layer version of the fragment in addition to the
content type and the length. The ordering of the arguments in the event
is the same as the ordering in the protocol message (first type, then
version, then length).

This also includes a slight change to the analyzer, no longer calling
the generate function if the event is not used.
This commit is contained in:
Johanna Amann 2017-02-03 12:27:40 -08:00
parent f721c74bad
commit c05e07cc90
9 changed files with 71 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/analyzer/protocol/ssl/dtls-protocol.pac
View file

@ -18,10 +18,11 @@ type SSLRecord(is_orig: bool) = record {
cont: case valid of {
true -> rec: RecordText(this)[] &length=length;
false -> swallow: bytestring &restofdata;
};
} &requires(valid,raw_tls_version);
} &byteorder = bigendian, &let {
# Do not parse body if packet version invalid
valid: bool = $context.connection.dtls_version_ok(version);
raw_tls_version: uint16 = version;
};
type RecordText(rec: SSLRecord) = case rec.epoch of {

8
src/analyzer/protocol/ssl/events.bif
View file

@ -336,13 +336,17 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%);
##
## is_orig: True if event is raised for originator side of the connection.
##
## content_type: message type as reported by TLS session layer.
## content_type: message type as reported by TLS session layer. Not populated for
## SSLv2
##
## record_version: TLS version given in the record layer of the message.
## this will not be set for SSLv2.
##
## length: length of the entire heartbeat message.
##
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_alert ssl_heartbeat
event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%);
event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%);
## This event contains the OCSP response contained in a Certificate Status Request
## message, when the client requested OCSP stapling and the server supports it.

5
src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
View file

@ -54,8 +54,9 @@ refine connection SSL_Conn += {
bro_analyzer()->Conn());
}
BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length});
if ( ssl_encrypted_data )
BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length});
return true;
%}

10
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -8,16 +8,22 @@ type SSLRecord(is_orig: bool) = record {
head2 : uint8;
head3 : uint8;
head4 : uint8;
rec : RecordText(this)[] &length=length, &requires(content_type);
rec : RecordText(this)[] &length=length, &requires(version,content_type,raw_tls_version);
} &length = length+5, &byteorder=bigendian,
&let {
version : int =
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
# unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2
raw_tls_version: int = case version of {
SSLv20 -> 0;
default -> (head1<<8) | head2;
} &requires(version);
content_type : int = case version of {
SSLv20 -> head2+300;
default -> head0;
};
} &requires(version);
length : int = case version of {
# fail analyzer if the packet cannot be recognized as TLS.