Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Introduce ssl_plaintext_data event.

Browse source 
This event is the replacement for ssl_application_data, which is removed
in the same commit. It is more generic, containing more information than
ssl_application_dataand is raised for all SSL/TLS messages that are
exchanged before encryption starts.

It is used by Bro internally to determine when a TLS1.3 session has been
completely established. Apart from that, it can be used to, e.g.,
determine the record layer TLS version.
This commit is contained in:
Johanna Amann 2017-02-03 13:39:34 -08:00
parent c05e07cc90
commit c92bf9bad2
7 changed files with 79 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/ssl/main.bro
View file

@ -302,11 +302,11 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
}
}
event ssl_application_data(c: connection, is_orig: bool, length: count)
event ssl_plaintext_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) &priority=5
{
set_session(c);
if ( ! c$ssl?$version || c$ssl$established )
if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
return;
if ( c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )