Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

make client and server random available on script-level.

Browse source 
Patch by ewust

Addresses BIT-950
This commit is contained in:
Bernhard Amann 2013-09-11 12:39:23 -07:00
parent 7c1dffa66f
commit c40a97156a
6 changed files with 37 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/ssl/main.bro
View file

@ -151,7 +151,7 @@ function finish(c: connection)
disable_analyzer(c$id, c$ssl$analyzer_id); disable_analyzer(c$id, c$ssl$analyzer_id);
} }
event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set) &priority=5
{ {
set_session(c); set_session(c);
@ -160,7 +160,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, session
c$ssl$session_id = bytestring_to_hexstr(session_id); c$ssl$session_id = bytestring_to_hexstr(session_id);
} }
event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5 event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
{ {
set_session(c); set_session(c);

10
src/analyzer/protocol/ssl/events.bif
View file

@ -17,13 +17,16 @@
## ##
## session_id: The session ID sent by the client (if any). ## session_id: The session ID sent by the client (if any).
## ##
## client_random: The random value sent by the client. For version 2 connections,
## the client challenge is returned.
##
## ciphers: The list of ciphers the client offered to use. The values are ## ciphers: The list of ciphers the client offered to use. The values are
## standardized as part of the SSL/TLS protocol. The ## standardized as part of the SSL/TLS protocol. The
## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. ## :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
## ##
## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set%);
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out ## start with an unencrypted handshake, and Bro extracts as much information out
@ -44,6 +47,9 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
## ##
## session_id: The session ID as sent back by the server (if any). ## session_id: The session ID as sent back by the server (if any).
## ##
## server_random: The random value sent by the server. For version 2 connections,
## the connection-id is returned.
##
## cipher: The cipher chosen by the server. The values are standardized as part ## cipher: The cipher chosen by the server. The values are standardized as part
## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps ## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps
## them to descriptive names. ## them to descriptive names.
@ -53,7 +59,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
## ##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS ## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
## sessions start with an unencrypted handshake, and Bro extracts as much ## sessions start with an unencrypted handshake, and Bro extracts as much

18
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -152,6 +152,7 @@ refine connection SSL_Conn += {
function proc_client_hello(rec: SSLRecord, function proc_client_hello(rec: SSLRecord,
version : uint16, ts : double, version : uint16, ts : double,
client_random : bytestring,
session_id : uint8[], session_id : uint8[],
cipher_suites16 : uint16[], cipher_suites16 : uint16[],
cipher_suites24 : uint24[]) : bool cipher_suites24 : uint24[]) : bool
@ -176,7 +177,8 @@ refine connection SSL_Conn += {
} }
BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
version, ts, version, ts, new StringVal(client_random.length(),
(const char*) client_random.data()),
to_string_val(session_id), to_string_val(session_id),
cipher_set); cipher_set);
@ -188,6 +190,7 @@ refine connection SSL_Conn += {
function proc_server_hello(rec: SSLRecord, function proc_server_hello(rec: SSLRecord,
version : uint16, ts : double, version : uint16, ts : double,
server_random : bytestring,
session_id : uint8[], session_id : uint8[],
cipher_suites16 : uint16[], cipher_suites16 : uint16[],
cipher_suites24 : uint24[], cipher_suites24 : uint24[],
@ -209,7 +212,8 @@ refine connection SSL_Conn += {
BifEvent::generate_ssl_server_hello(bro_analyzer(), BifEvent::generate_ssl_server_hello(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
version, ts, version, ts, new StringVal(server_random.length(),
(const char*) server_random.data()),
to_string_val(session_id), to_string_val(session_id),
ciphers->size()==0 ? 0 : ciphers->at(0), comp_method); ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);
@ -419,27 +423,27 @@ refine typeattr ApplicationData += &let {
refine typeattr ClientHello += &let { refine typeattr ClientHello += &let {
proc : bool = $context.connection.proc_client_hello(rec, client_version, proc : bool = $context.connection.proc_client_hello(rec, client_version,
gmt_unix_time, gmt_unix_time, random_bytes,
session_id, csuits, 0) session_id, csuits, 0)
&requires(state_changed); &requires(state_changed);
}; };
refine typeattr V2ClientHello += &let { refine typeattr V2ClientHello += &let {
proc : bool = $context.connection.proc_client_hello(rec, client_version, 0, proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
session_id, 0, ciphers) challenge, session_id, 0, ciphers)
&requires(state_changed); &requires(state_changed);
}; };
refine typeattr ServerHello += &let { refine typeattr ServerHello += &let {
proc : bool = $context.connection.proc_server_hello(rec, server_version, proc : bool = $context.connection.proc_server_hello(rec, server_version,
gmt_unix_time, session_id, cipher_suite, 0, gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
compression_method) compression_method)
&requires(state_changed); &requires(state_changed);
}; };
refine typeattr V2ServerHello += &let { refine typeattr V2ServerHello += &let {
proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, 0, proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
0, ciphers, 0) conn_id_data, 0, 0, ciphers, 0)
&requires(state_changed); &requires(state_changed);
cert : bool = $context.connection.proc_v2_certificate(rec, cert_data) cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)

4
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -346,7 +346,7 @@ type HelloRequest(rec: SSLRecord) = empty &let {
type ClientHello(rec: SSLRecord) = record { type ClientHello(rec: SSLRecord) = record {
client_version : uint16; client_version : uint16;
gmt_unix_time : uint32; gmt_unix_time : uint32;
random_bytes : bytestring &length = 28 &transient; random_bytes : bytestring &length = 28;
session_len : uint8; session_len : uint8;
session_id : uint8[session_len]; session_id : uint8[session_len];
csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0); csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
@ -397,7 +397,7 @@ type V2ClientHello(rec: SSLRecord) = record {
type ServerHello(rec: SSLRecord) = record { type ServerHello(rec: SSLRecord) = record {
server_version : uint16; server_version : uint16;
gmt_unix_time : uint32; gmt_unix_time : uint32;
random_bytes : bytestring &length = 28 &transient; random_bytes : bytestring &length = 28;
session_len : uint8; session_len : uint8;
session_id : uint8[session_len]; session_id : uint8[session_len];
cipher_suite : uint16[1]; cipher_suite : uint16[1];

2
testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout Normal file
View file

@ -0,0 +1,2 @@
8\xd0U@\xf1\xaamI\xb5SE^K\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7^D\x90
\xa7^B\xf4'&^E]|c\x83KN\xb0^N6F\xbez\xbb^Ny\xbf^O\x85p\x83\x8dX

12
testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test Normal file
View file

@ -0,0 +1,12 @@
# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
# @TEST-EXEC: btest-diff .stdout
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set)
{
print client_random;
}
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
{
print server_random;
}