Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add record layer version to event ssl_encrypted_data.

Browse source 
This exposes the record layer version of the fragment in addition to the
content type and the length. The ordering of the arguments in the event
is the same as the ordering in the protocol message (first type, then
version, then length).

This also includes a slight change to the analyzer, no longer calling
the generate function if the event is not used.
This commit is contained in:
Johanna Amann 2017-02-03 12:27:40 -08:00
parent f721c74bad
commit c05e07cc90
9 changed files with 71 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/policy/protocols/ssl/heartbleed.bro
View file

@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
} }
} }
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
{ {
if ( !c?$ssl ) if ( !c?$ssl )
return; return;

3
src/analyzer/protocol/ssl/dtls-protocol.pac
View file

@ -18,10 +18,11 @@ type SSLRecord(is_orig: bool) = record {
cont: case valid of { cont: case valid of {
true -> rec: RecordText(this)[] &length=length; true -> rec: RecordText(this)[] &length=length;
false -> swallow: bytestring &restofdata; false -> swallow: bytestring &restofdata;
}; } &requires(valid,raw_tls_version);
} &byteorder = bigendian, &let { } &byteorder = bigendian, &let {
# Do not parse body if packet version invalid # Do not parse body if packet version invalid
valid: bool = $context.connection.dtls_version_ok(version); valid: bool = $context.connection.dtls_version_ok(version);
raw_tls_version: uint16 = version;
}; };
type RecordText(rec: SSLRecord) = case rec.epoch of { type RecordText(rec: SSLRecord) = case rec.epoch of {

8
src/analyzer/protocol/ssl/events.bif
View file

@ -336,13 +336,17 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%);
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_orig: True if event is raised for originator side of the connection.
## ##
## content_type: message type as reported by TLS session layer. ## content_type: message type as reported by TLS session layer. Not populated for
## SSLv2
##
## record_version: TLS version given in the record layer of the message.
## this will not be set for SSLv2.
## ##
## length: length of the entire heartbeat message. ## length: length of the entire heartbeat message.
## ##
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_alert ssl_heartbeat ## ssl_alert ssl_heartbeat
event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%); event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%);
## This event contains the OCSP response contained in a Certificate Status Request ## This event contains the OCSP response contained in a Certificate Status Request
## message, when the client requested OCSP stapling and the server supports it. ## message, when the client requested OCSP stapling and the server supports it.

5
src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
View file

@ -54,8 +54,9 @@ refine connection SSL_Conn += {
bro_analyzer()->Conn()); bro_analyzer()->Conn());
} }
BifEvent::generate_ssl_encrypted_data(bro_analyzer(), if ( ssl_encrypted_data )
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length}); BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length});
return true; return true;
%} %}

10
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -8,16 +8,22 @@ type SSLRecord(is_orig: bool) = record {
head2 : uint8; head2 : uint8;
head3 : uint8; head3 : uint8;
head4 : uint8; head4 : uint8;
rec : RecordText(this)[] &length=length, &requires(content_type); rec : RecordText(this)[] &length=length, &requires(version,content_type,raw_tls_version);
} &length = length+5, &byteorder=bigendian, } &length = length+5, &byteorder=bigendian,
&let { &let {
version : int = version : int =
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig); $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
# unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2
raw_tls_version: int = case version of {
SSLv20 -> 0;
default -> (head1<<8) | head2;
} &requires(version);
content_type : int = case version of { content_type : int = case version of {
SSLv20 -> head2+300; SSLv20 -> head2+300;
default -> head0; default -> head0;
}; } &requires(version);
length : int = case version of { length : int = case version of {
# fail analyzer if the packet cannot be recognized as TLS. # fail analyzer if the packet cannot be recognized as TLS.

70
testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout
View file

@ -5,41 +5,41 @@ Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199
Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0 Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0
Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66 Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66
CCS, 192.168.1.105, 74.125.224.79, T CCS, 192.168.1.105, 74.125.224.79, T
Encrypted data, 192.168.1.105, 74.125.224.79, T, 22, 72 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 72
Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 48 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 48
Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 387 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 387
Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170 Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170
CCS, 192.168.1.105, 74.125.224.79, F CCS, 192.168.1.105, 74.125.224.79, F
Established, 192.168.1.105, 74.125.224.79 Established, 192.168.1.105, 74.125.224.79
Encrypted data, 192.168.1.105, 74.125.224.79, F, 22, 36 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 36
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 40 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 40
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 248 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 248
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 161 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 161
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 33 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 33
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 148 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 148
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 46 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 46
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 135 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 135
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 59 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 59
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 245 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 245
Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32
Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 92 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 92
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 75 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 75
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32
Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32

10
testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
View file

@ -15,6 +15,10 @@ x25519
key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
x25519 x25519
established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp] established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
x25519 x25519
secp256r1 secp256r1
@ -32,3 +36,9 @@ secp384r1
key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
secp384r1 secp384r1
established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp] established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23

4
testing/btest/scripts/base/protocols/ssl/handshake-events.test
View file

@ -22,7 +22,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool)
print "CCS", c$id$orig_h, c$id$resp_h, is_orig; print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
} }
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
{ {
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, content_type, length; print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
} }

6
testing/btest/scripts/base/protocols/ssl/tls13.test
View file

@ -9,6 +9,8 @@
# @TEST-EXEC: btest-diff ssl-out.log # @TEST-EXEC: btest-diff ssl-out.log
# @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: btest-diff .stdout
redef SSL::disable_analyzer_after_detection=F;
event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
{ {
print "key_share", c$id, is_orig; print "key_share", c$id, is_orig;
@ -23,7 +25,7 @@ event ssl_established(c: connection)
print "established", c$id; print "established", c$id;
} }
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
{ {
print "encrypted", c$id, is_orig, content_type; print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
} }