mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
make client and server random available on script-level.
Patch by ewust Addresses BIT-950
This commit is contained in:
Bernhard Amann
parent
7c1dffa66f
commit
c40a97156a
6 changed files with 37 additions and 13 deletions
|
|
@ -151,7 +151,7 @@ function finish(c: connection)
|
|||
disable_analyzer(c$id, c$ssl$analyzer_id);
|
||||
}
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
|
|
@ -160,7 +160,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, session
|
|||
c$ssl$session_id = bytestring_to_hexstr(session_id);
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
|
|
|
|||
|
|
@ -17,13 +17,16 @@
|
|||
##
|
||||
## session_id: The session ID sent by the client (if any).
|
||||
##
|
||||
## client_random: The random value sent by the client. For version 2 connections,
|
||||
## the client challenge is returned.
|
||||
##
|
||||
## ciphers: The list of ciphers the client offered to use. The values are
|
||||
## standardized as part of the SSL/TLS protocol. The
|
||||
## :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
|
||||
##
|
||||
## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
|
||||
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
|
||||
event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
|
||||
event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set%);
|
||||
|
||||
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
|
||||
## start with an unencrypted handshake, and Bro extracts as much information out
|
||||
|
|
@ -44,6 +47,9 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
|
|||
##
|
||||
## session_id: The session ID as sent back by the server (if any).
|
||||
##
|
||||
## server_random: The random value sent by the server. For version 2 connections,
|
||||
## the connection-id is returned.
|
||||
##
|
||||
## cipher: The cipher chosen by the server. The values are standardized as part
|
||||
## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps
|
||||
## them to descriptive names.
|
||||
|
|
@ -53,7 +59,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
|
|||
##
|
||||
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
|
||||
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
|
||||
event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
|
||||
event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
|
||||
|
||||
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
|
||||
## sessions start with an unencrypted handshake, and Bro extracts as much
|
||||
|
|
|
|||
|
|
@ -152,6 +152,7 @@ refine connection SSL_Conn += {
|
|||
|
||||
function proc_client_hello(rec: SSLRecord,
|
||||
version : uint16, ts : double,
|
||||
client_random : bytestring,
|
||||
session_id : uint8[],
|
||||
cipher_suites16 : uint16[],
|
||||
cipher_suites24 : uint24[]) : bool
|
||||
|
|
@ -176,7 +177,8 @@ refine connection SSL_Conn += {
|
|||
}
|
||||
|
||||
BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
version, ts,
|
||||
version, ts, new StringVal(client_random.length(),
|
||||
(const char*) client_random.data()),
|
||||
to_string_val(session_id),
|
||||
cipher_set);
|
||||
|
||||
|
|
@ -188,6 +190,7 @@ refine connection SSL_Conn += {
|
|||
|
||||
function proc_server_hello(rec: SSLRecord,
|
||||
version : uint16, ts : double,
|
||||
server_random : bytestring,
|
||||
session_id : uint8[],
|
||||
cipher_suites16 : uint16[],
|
||||
cipher_suites24 : uint24[],
|
||||
|
|
@ -209,7 +212,8 @@ refine connection SSL_Conn += {
|
|||
|
||||
BifEvent::generate_ssl_server_hello(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
version, ts,
|
||||
version, ts, new StringVal(server_random.length(),
|
||||
(const char*) server_random.data()),
|
||||
to_string_val(session_id),
|
||||
ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);
|
||||
|
||||
|
|
@ -419,27 +423,27 @@ refine typeattr ApplicationData += &let {
|
|||
|
||||
refine typeattr ClientHello += &let {
|
||||
proc : bool = $context.connection.proc_client_hello(rec, client_version,
|
||||
gmt_unix_time,
|
||||
gmt_unix_time, random_bytes,
|
||||
session_id, csuits, 0)
|
||||
&requires(state_changed);
|
||||
};
|
||||
|
||||
refine typeattr V2ClientHello += &let {
|
||||
proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
|
||||
session_id, 0, ciphers)
|
||||
challenge, session_id, 0, ciphers)
|
||||
&requires(state_changed);
|
||||
};
|
||||
|
||||
refine typeattr ServerHello += &let {
|
||||
proc : bool = $context.connection.proc_server_hello(rec, server_version,
|
||||
gmt_unix_time, session_id, cipher_suite, 0,
|
||||
gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
|
||||
compression_method)
|
||||
&requires(state_changed);
|
||||
};
|
||||
|
||||
refine typeattr V2ServerHello += &let {
|
||||
proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, 0,
|
||||
0, ciphers, 0)
|
||||
proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
|
||||
conn_id_data, 0, 0, ciphers, 0)
|
||||
&requires(state_changed);
|
||||
|
||||
cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)
|
||||
|
|
|
|||
|
|
@ -346,7 +346,7 @@ type HelloRequest(rec: SSLRecord) = empty &let {
|
|||
type ClientHello(rec: SSLRecord) = record {
|
||||
client_version : uint16;
|
||||
gmt_unix_time : uint32;
|
||||
random_bytes : bytestring &length = 28 &transient;
|
||||
random_bytes : bytestring &length = 28;
|
||||
session_len : uint8;
|
||||
session_id : uint8[session_len];
|
||||
csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
|
||||
|
|
@ -397,7 +397,7 @@ type V2ClientHello(rec: SSLRecord) = record {
|
|||
type ServerHello(rec: SSLRecord) = record {
|
||||
server_version : uint16;
|
||||
gmt_unix_time : uint32;
|
||||
random_bytes : bytestring &length = 28 &transient;
|
||||
random_bytes : bytestring &length = 28;
|
||||
session_len : uint8;
|
||||
session_id : uint8[session_len];
|
||||
cipher_suite : uint16[1];
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
8\xd0U@\xf1\xaamI\xb5SE^K\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7^D\x90
|
||||
\xa7^B\xf4'&^E]|c\x83KN\xb0^N6F\xbez\xbb^Ny\xbf^O\x85p\x83\x8dX
|
||||
12
testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
Normal file
12
testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set)
|
||||
{
|
||||
print client_random;
|
||||
}
|
||||
|
||||
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
|
||||
{
|
||||
print server_random;
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue