From 31795e7600561511add762951eee6292b186f6d3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 10 Mar 2015 14:29:40 -0700 Subject: [PATCH 1/2] When setting the SSL analyzer to fail, also stop processing data that already has been delivered to the analyzer, not just future data. No testcase because this is hard to reproduce, this was only found due to mistakenly triggering an error in life traffic at a site... --- src/analyzer/protocol/ssl/ssl-protocol.pac | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index cb794bd8a4..0569caf321 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -750,6 +750,12 @@ refine connection SSL_Conn += { function determine_ssl_record_layer(head0 : uint8, head1 : uint8, head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ + // stop processing if we already had a protocol violation or otherwhise + // decided that we do not want to parse anymore. Just setting skip is not + // enough for the data that is already in the pipe. + if ( bro_analyzer()->Skipping() ) + return UNKNOWN_VERSION; + // re-check record layer version to be sure that we still are synchronized with // the data stream if ( record_layer_version_ != UNKNOWN_VERSION && record_layer_version_ != SSLv20 ) From eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 18 Mar 2015 16:39:06 -0500 Subject: [PATCH 2/2] Correct a spelling error --- src/iosource/pcap/Plugin.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/iosource/pcap/Plugin.cc b/src/iosource/pcap/Plugin.cc index f0490e6e3d..af74b16ead 100644 --- a/src/iosource/pcap/Plugin.cc +++ b/src/iosource/pcap/Plugin.cc @@ -17,7 +17,7 @@ public: plugin::Configuration config; config.name = "Bro::Pcap"; - config.description = "Packet aquisition via libpcap"; + config.description = "Packet acquisition via libpcap"; return config; } } plugin;