Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Spicy TLS: rename the analyzer to SSL

Browse source 
Naming the analyzer different than the old one was a mistake that
required unnecessary code changes; keeping the old name makes things
like StartTLS in other protocol work without additional code changes.
This commit is contained in:
Johanna Amann 2023-11-06 12:48:30 +00:00
parent 283d900758
commit c682e5723b
8 changed files with 104 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/ssl/dpd.sig
View file

@ -3,7 +3,7 @@ signature dpd_tls_server {
# SSL3 / TLS Server hello.
payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/
tcp-state responder
enable "tls"
enable "ssl"
}
signature dpd_tls_client {
@ -11,7 +11,7 @@ signature dpd_tls_client {
# SSL3 / TLS Client hello.
payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/
tcp-state originator
enable "tls"
enable "ssl"
}
signature dpd_dtls_client {

1
src/analyzer/protocol/CMakeLists.txt
View file

@ -42,6 +42,5 @@ add_subdirectory(ssh)
add_subdirectory(ssl)
add_subdirectory(syslog)
add_subdirectory(tcp)
add_subdirectory(tls)
add_subdirectory(xmpp)
add_subdirectory(zip)

2
src/analyzer/protocol/ssl/CMakeLists.txt
View file

@ -1,3 +1,5 @@
add_subdirectory(spicy)
zeek_add_plugin(
Zeek
SSL

1
src/analyzer/protocol/ssl/spicy/CMakeLists.txt Normal file
View file

@ -0,0 +1 @@
spicy_add_analyzer(NAME SSL SOURCES SSL.spicy SSL.evt)

86
src/analyzer/protocol/ssl/spicy/SSL.evt Normal file
View file

@ -0,0 +1,86 @@
protocol analyzer SSL over TCP:
parse with SSL::Message,
port 443/tcp;
protocol analyzer DTLS over UDP:
parse with SSL::Message,
port 443/udp;
import SSL;
import zeek;
import spicy;
on SSL::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
on SSL::ServerHello -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
on SSL::ServerHelloOneThree -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, "", self.cipher_suite, 0);
on SSL::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, SSL::get_direction(sh), self.elliptic_curve_list);
on SSL::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, SSL::get_direction(sh), self.ec_point_format_list);
on SSL::ServerNameList -> event ssl_extension_server_name($conn, SSL::get_direction(sh), SSL::convert_server_names(self));
on SSL::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
on SSL::PlaintextRecord::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
# weird trigger for event ordering
on SSL::PlaintextRecord::%done if ( msg.context().ccs_seen == 2 && content_type == 20 ) -> event ssl_established($conn);
on SSL::PlaintextRecord::trigger_zero if ( content_type == 23 && sh.tls_13 == True && ( sh.established == False || sh.both_sides_encrypted_first_time ) ) -> event ssl_probable_encrypted_handshake_message($conn, SSL::get_direction(sh), self.length);
on SSL::PlaintextRecord::trigger_one if ( sh.both_sides_encrypted_first_time == True ) -> event ssl_established($conn);
on SSL::PlaintextRecord::trigger_two if ( self.encrypted == False ) -> event ssl_plaintext_data($conn, SSL::get_direction(sh), msg.record_version, content_type, self.length);
on SSL::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_encrypted_data($conn, SSL::get_direction(sh), msg.record_version, content_type, self.length);
on SSL::Extension -> event ssl_extension($conn, SSL::get_direction(sh), self.code, self.raw);
on SSL::Handshake_message::length -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length);
on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), SSL::convert_signature_algorithms(self));
on SSL::ServerHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,));
on SSL::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.namedgroup,));
on SSL::ClientHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), SSL::convert_clienthellokeyshare(self));
on SSL::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, SSL::get_direction(sh), SSL::convert_identities(self.identities), SSL::convert_binders(self.binders));
on SSL::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, SSL::get_direction(sh), self.selected_identity);
on SSL::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
on SSL::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
on SSL::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
on SSL::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
# just use nonsense values for no algorithm. Same as in the old analyzer
on SSL::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
on SSL::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
on SSL::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
on SSL::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
on SSL::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, SSL::get_direction(sh), SSL::convert_protocol_name_list(self));
on SSL::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, SSL::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
on SSL::SupportedVersions -> event ssl_extension_supported_versions($conn, SSL::get_direction(sh), self.versions);
on SSL::OneSupportedVersion -> event ssl_extension_supported_versions($conn, SSL::get_direction(sh), vector<uint16>(self.version,));
on SSL::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, SSL::get_direction(sh), self.modes);
on SSL::Alert_message -> event ssl_alert($conn, SSL::get_direction(sh), self.level, self.description);
on SSL::Heartbeat -> event ssl_heartbeat($conn, SSL::get_direction(sh), length, self.tpe, self.payload_length, self.data);
on SSL::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
on SSL::CertificateRequest if ( SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::convert_signature_algorithms(self.supported_signature_algorithms), SSL::convert_certificate_authorities(self));
on SSL::CertificateRequest if ( ! SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::create_empty_sigmature_algorithms(), SSL::convert_certificate_authorities(self));
on SSL::DirectionCheck::%done if ( self.was_flipped ) -> event ssl_connection_flipped($conn);

26
src/analyzer/protocol/tls/TLS.spicy → src/analyzer/protocol/ssl/spicy/SSL.spicy
View file

@ -1,4 +1,4 @@
module TLS;
module SSL;
import spicy;
@ -1740,7 +1740,7 @@ type SingleCertificate = unit {
import zeek;
public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
public function convert_server_names(snl: SSL::ServerNameList) : vector<bytes> {
local out: vector<bytes>;
for ( i in snl.server_name_list )
@ -1749,7 +1749,7 @@ public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
return out;
}
public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
public function convert_signature_algorithms(sa: SSL::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
local out: vector<tuple<uint8, uint8>>;
for ( i in sa.supported_signature_algorithms )
out.push_back(tuple(i.hash, i.signature));
@ -1762,7 +1762,7 @@ public function create_empty_sigmature_algorithms() : vector<tuple<HashAlgorithm
return out;
}
public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
public function convert_clienthellokeyshare(ks: SSL::ClientHelloKeyShare) : vector<uint16> {
local out: vector<uint16>;
for ( i in ks.keyshares )
@ -1771,7 +1771,7 @@ public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vect
return out;
}
public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
public function convert_binders(bi: SSL::PSKBindersList) : vector<bytes> {
local out: vector<bytes>;
for ( i in bi.binders )
@ -1780,21 +1780,21 @@ public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
return out;
}
public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
public function convert_identities(id: SSL::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
local out: vector<tuple<bytes, uint32>>;
for ( i in id.identities )
out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
return out;
}
public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
public function convert_protocol_name_list(pns: SSL::ProtocolNameList) : vector<bytes> {
local out: vector<bytes>;
for ( i in pns.protocol_name_list )
out.push_back(i.name);
return out;
}
public function convert_certificate_authorities(c: TLS::CertificateRequest) : vector<bytes> {
public function convert_certificate_authorities(c: SSL::CertificateRequest) : vector<bytes> {
local out: vector<bytes>;
for ( i in c.certificate_authorities )
out.push_back(i.certificate_authority);
@ -1830,23 +1830,23 @@ public function check_direction(inout sh: Share, desired: bool) : bool {
return False;
}
on TLS::ClientHello::%done {
on SSL::ClientHello::%done {
spicy::accept_input();
}
on TLS::ClientHello::%error {
on SSL::ClientHello::%error {
spicy::decline_input("error while parsing TLS client hello");
}
on TLS::ServerHello::%done {
on SSL::ServerHello::%done {
spicy::accept_input();
}
on TLS::ServerHello::%error {
on SSL::ServerHello::%error {
spicy::decline_input("error while parsing TLS server hello");
}
on TLS::Certificate::%done {
on SSL::Certificate::%done {
local first: bool = True;
for ( i in self.certificate_list )
{

1
src/analyzer/protocol/tls/CMakeLists.txt
View file

@ -1 +0,0 @@
spicy_add_analyzer(NAME TLS SOURCES TLS.spicy TLS.evt)

86
src/analyzer/protocol/tls/TLS.evt
View file

@ -1,86 +0,0 @@
protocol analyzer TLS over TCP:
parse with TLS::Message,
port 443/tcp;
protocol analyzer DTLS over UDP:
parse with TLS::Message,
port 443/udp;
import TLS;
import zeek;
import spicy;
on TLS::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
on TLS::ServerHello -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
on TLS::ServerHelloOneThree -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, "", self.cipher_suite, 0);
on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, TLS::get_direction(sh), self.elliptic_curve_list);
on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, TLS::get_direction(sh), self.ec_point_format_list);
on TLS::ServerNameList -> event ssl_extension_server_name($conn, TLS::get_direction(sh), TLS::convert_server_names(self));
on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
on TLS::PlaintextRecord::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
# weird trigger for event ordering
on TLS::PlaintextRecord::%done if ( msg.context().ccs_seen == 2 && content_type == 20 ) -> event ssl_established($conn);
on TLS::PlaintextRecord::trigger_zero if ( content_type == 23 && sh.tls_13 == True && ( sh.established == False || sh.both_sides_encrypted_first_time ) ) -> event ssl_probable_encrypted_handshake_message($conn, TLS::get_direction(sh), self.length);
on TLS::PlaintextRecord::trigger_one if ( sh.both_sides_encrypted_first_time == True ) -> event ssl_established($conn);
on TLS::PlaintextRecord::trigger_two if ( self.encrypted == False ) -> event ssl_plaintext_data($conn, TLS::get_direction(sh), msg.record_version, content_type, self.length);
on TLS::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_encrypted_data($conn, TLS::get_direction(sh), msg.record_version, content_type, self.length);
on TLS::Extension -> event ssl_extension($conn, TLS::get_direction(sh), self.code, self.raw);
on TLS::Handshake_message::length -> event ssl_handshake_message($conn, TLS::get_direction(sh), self.msg_type, self.length);
on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, TLS::get_direction(sh), TLS::convert_signature_algorithms(self));
on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, TLS::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,));
on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, TLS::get_direction(sh), vector<uint16>(self.namedgroup,));
on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, TLS::get_direction(sh), TLS::convert_clienthellokeyshare(self));
on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, TLS::get_direction(sh), TLS::convert_identities(self.identities), TLS::convert_binders(self.binders));
on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, TLS::get_direction(sh), self.selected_identity);
on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
# just use nonsense values for no algorithm. Same as in the old analyzer
on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, TLS::get_direction(sh), TLS::convert_protocol_name_list(self));
on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, TLS::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, TLS::get_direction(sh), self.versions);
on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, TLS::get_direction(sh), vector<uint16>(self.version,));
on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, TLS::get_direction(sh), self.modes);
on TLS::Alert_message -> event ssl_alert($conn, TLS::get_direction(sh), self.level, self.description);
on TLS::Heartbeat -> event ssl_heartbeat($conn, TLS::get_direction(sh), length, self.tpe, self.payload_length, self.data);
on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
on TLS::CertificateRequest if ( TLS::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, TLS::get_direction(sh), self.certificate_types, TLS::convert_signature_algorithms(self.supported_signature_algorithms), TLS::convert_certificate_authorities(self));
on TLS::CertificateRequest if ( ! TLS::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, TLS::get_direction(sh), self.certificate_types, TLS::create_empty_sigmature_algorithms(), TLS::convert_certificate_authorities(self));
on TLS::DirectionCheck::%done if ( self.was_flipped ) -> event ssl_connection_flipped($conn);