Add record layer version to event ssl_encrypted_data.

This exposes the record layer version of the fragment in addition to the content type and the length. The ordering of the arguments in the event is the same as the ordering in the protocol message (first type, then version, then length). This also includes a slight change to the analyzer, no longer calling the generate function if the event is not used.
2025-10-02 14:48:21 +00:00 · 2017-02-03 12:27:40 -08:00 · 2017-02-03 12:27:40 -08:00 · c05e07cc90
commit c05e07cc90
parent f721c74bad
9 changed files with 71 additions and 47 deletions
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	}

-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
 	{
 	if ( !c?$ssl )
 		return;
--- a/src/analyzer/protocol/ssl/dtls-protocol.pac
+++ b/src/analyzer/protocol/ssl/dtls-protocol.pac
@ -18,10 +18,11 @@ type SSLRecord(is_orig: bool) = record {
 	cont: case valid of {
 		true -> rec: RecordText(this)[] &length=length;
    false -> swallow: bytestring &restofdata;
-	};
+	} &requires(valid,raw_tls_version);
 } &byteorder = bigendian, &let {
 # Do not parse body if packet version invalid
 	valid: bool = $context.connection.dtls_version_ok(version);
+	raw_tls_version: uint16 = version;
 };

 type RecordText(rec: SSLRecord) = case rec.epoch of {
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -336,13 +336,17 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%);
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## content_type: message type as reported by TLS session layer.
+## content_type: message type as reported by TLS session layer. Not populated for
+##               SSLv2
+##
+## record_version: TLS version given in the record layer of the message.
+##                 this will not be set for SSLv2.
 ##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
-event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%);
+event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%);

 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it.
--- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
@ -54,8 +54,9 @@ refine connection SSL_Conn += {
 							bro_analyzer()->Conn());
 			}

-		BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length});
+		if ( ssl_encrypted_data )
+			BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length});

 		return true;
 		%}
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@ -8,16 +8,22 @@ type SSLRecord(is_orig: bool) = record {
 	head2 : uint8;
 	head3 : uint8;
 	head4 : uint8;
-	rec : RecordText(this)[] &length=length, &requires(content_type);
+	rec : RecordText(this)[] &length=length, &requires(version,content_type,raw_tls_version);
 } &length = length+5, &byteorder=bigendian,
 	&let {
 	version : int =
 		$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);

+	# unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2
+	raw_tls_version: int = case version of {
+		SSLv20 -> 0;
+		default -> (head1<<8) | head2;
+	} &requires(version);
+
 	content_type : int = case version of {
 		SSLv20 -> head2+300;
 		default -> head0;
-	};
+	} &requires(version);

 	length : int = case version of {
 		# fail analyzer if the packet cannot be recognized as TLS.
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout
@ -5,41 +5,41 @@ Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199
 Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0
 Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66
 CCS, 192.168.1.105, 74.125.224.79, T
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 22, 72
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 48
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 387
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 72
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 48
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 387
 Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170
 CCS, 192.168.1.105, 74.125.224.79, F
 Established, 192.168.1.105, 74.125.224.79
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 22, 36
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 40
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 248
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 161
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 33
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 148
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 46
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 135
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 59
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 245
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 92
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 75
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 36
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 40
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 248
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 161
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 33
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 148
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 46
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 135
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 59
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 245
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 92
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 75
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@ -15,6 +15,10 @@ x25519
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 x25519
 secp256r1
@ -32,3 +36,9 @@ secp384r1
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
--- a/testing/btest/scripts/base/protocols/ssl/handshake-events.test
+++ b/testing/btest/scripts/base/protocols/ssl/handshake-events.test
@ -22,7 +22,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool)
 	print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
 	}

-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
 	{
-	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, content_type, length;
+	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
 	}
--- a/testing/btest/scripts/base/protocols/ssl/tls13.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13.test
@ -9,6 +9,8 @@
 # @TEST-EXEC: btest-diff ssl-out.log
 # @TEST-EXEC: btest-diff .stdout

+redef SSL::disable_analyzer_after_detection=F;
+
 event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
 	{
 	print "key_share", c$id, is_orig;
@ -23,7 +25,7 @@ event ssl_established(c: connection)
 	print "established", c$id;
 	}

-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
 	{
-	print "encrypted", c$id, is_orig, content_type;
+	print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
 	}