From e14eddeb979aa6e2820abdf8cef267659ff1b51a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 24 Jun 2022 19:27:13 +0200 Subject: [PATCH] SSL Analyzer: track connection direction by messages This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198. --- scripts/base/protocols/ssl/files.zeek | 1 + scripts/base/protocols/ssl/main.zeek | 102 +++++++------ scripts/policy/protocols/ssl/decryption.zeek | 2 +- scripts/policy/protocols/ssl/heartbleed.zeek | 20 +-- scripts/policy/protocols/ssl/ssl-log-ext.zeek | 32 ++-- .../policy/protocols/ssl/validate-ocsp.zeek | 2 +- .../policy/protocols/ssl/validate-sct.zeek | 2 +- src/analyzer/protocol/ssl/DTLS.cc | 5 + src/analyzer/protocol/ssl/DTLS.h | 8 + src/analyzer/protocol/ssl/SSL.cc | 5 + src/analyzer/protocol/ssl/SSL.h | 8 + src/analyzer/protocol/ssl/events.bif | 141 ++++++++++++------ .../protocol/ssl/proc-certificate.pac | 12 +- .../protocol/ssl/ssl-dtls-analyzer.pac | 12 +- .../protocol/ssl/tls-handshake-analyzer.pac | 34 ++--- .../protocol/ssl/tls-handshake-protocol.pac | 52 ++++++- src/analyzer/protocol/ssl/tls-handshake.pac | 1 + .../.stdout | 9 ++ .../ssl.log | 2 +- .../notice-encrypted-short.log | 2 +- .../notice-encrypted-success.log | 2 +- .../notice-encrypted.log | 2 +- .../base/protocols/ssl/dtls-stun-dpd.test | 5 + .../base/protocols/ssl/handshake-events.test | 16 +- .../base/protocols/ssl/ocsp-stapling.test | 4 +- .../ssl/signed_certificate_timestamp.test | 2 +- .../protocols/ssl/tls-extension-events.test | 20 +-- .../base/protocols/ssl/tls13-experiment.test | 4 +- .../scripts/base/protocols/ssl/tls13.test | 8 +- .../ssl/tls13_encrypted_handshake_events.test | 8 +- 30 files changed, 344 insertions(+), 179 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout diff --git a/scripts/base/protocols/ssl/files.zeek b/scripts/base/protocols/ssl/files.zeek index f0ab34d1e0..c6be72100e 100644 --- a/scripts/base/protocols/ssl/files.zeek +++ b/scripts/base/protocols/ssl/files.zeek @@ -152,6 +152,7 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 c$ssl$client_cert_chain_fps = string_vec(); } + # Note - for SSL connections, is_orig indicates client/server, not necessary originator/responder. if ( f$is_orig ) c$ssl$client_cert_chain += f$info; else diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek index 9257a89922..b42e13fa12 100644 --- a/scripts/base/protocols/ssl/main.zeek +++ b/scripts/base/protocols/ssl/main.zeek @@ -72,9 +72,14 @@ export { ## SSL history showing which types of packets we received in which order. ## Letters have the following meaning with client-sent letters being capitalized: ## + ## A direction flip occurs when the client hello packet is not sent from the originator + ## of a connection. This can, e.g., occur when DTLS is used in a connection that was + ## set up using STUN. + ## ## ====== ==================================================== ## Letter Meaning ## ====== ==================================================== + ## ^ direction flipped ## H hello_request ## C client_hello ## S server_hello @@ -198,9 +203,9 @@ function set_session(c: connection) } } -function add_to_history(c: connection, is_orig: bool, char: string) +function add_to_history(c: connection, is_client: bool, char: string) { - if ( is_orig ) + if ( is_client ) c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char); else c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char); @@ -284,9 +289,9 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos c$ssl$resumed = T; } -event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) +event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec) { - if ( is_orig || |versions| != 1 ) + if ( is_client || |versions| != 1 ) return; set_session(c); @@ -302,20 +307,20 @@ event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priori c$ssl$curve = ec_curves[curve]; } -event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) +event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec) { - if ( is_orig || |curves| != 1 ) + if ( is_client || |curves| != 1 ) return; set_session(c); c$ssl$curve = ec_curves[curves[0]]; } -event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5 +event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec) &priority=5 { set_session(c); - if ( is_orig && |names| > 0 ) + if ( is_client && |names| > 0 ) { c$ssl$server_name = names[0]; if ( |names| > 1 ) @@ -323,133 +328,140 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) } } -event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec) +event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec) { set_session(c); - if ( is_orig ) + if ( is_client ) return; if ( |protocols| > 0 ) c$ssl$next_protocol = protocols[0]; } -event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5 +event ssl_connection_flipped(c: connection) { set_session(c); - if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE ) + c$ssl$ssl_history += "^"; + } + +event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count) &priority=5 + { + set_session(c); + + if ( is_client && msg_type == SSL::CLIENT_KEY_EXCHANGE ) c$ssl$client_key_exchange_seen = T; switch ( msg_type ) { case SSL::HELLO_REQUEST: - add_to_history(c, is_orig, "h"); + add_to_history(c, is_client, "h"); break; case SSL::CLIENT_HELLO: - add_to_history(c, is_orig, "c"); + add_to_history(c, is_client, "c"); break; case SSL::SERVER_HELLO: - add_to_history(c, is_orig, "s"); + add_to_history(c, is_client, "s"); break; case SSL::HELLO_VERIFY_REQUEST: - add_to_history(c, is_orig, "v"); + add_to_history(c, is_client, "v"); break; case SSL::SESSION_TICKET: - add_to_history(c, is_orig, "t"); + add_to_history(c, is_client, "t"); break; # end of early data case 5: - add_to_history(c, is_orig, "e"); + add_to_history(c, is_client, "e"); break; case SSL::HELLO_RETRY_REQUEST: - add_to_history(c, is_orig, "j"); + add_to_history(c, is_client, "j"); break; case SSL::ENCRYPTED_EXTENSIONS: - add_to_history(c, is_orig, "o"); + add_to_history(c, is_client, "o"); break; case SSL::CERTIFICATE: - add_to_history(c, is_orig, "x"); + add_to_history(c, is_client, "x"); break; case SSL::SERVER_KEY_EXCHANGE: - add_to_history(c, is_orig, "k"); + add_to_history(c, is_client, "k"); break; case SSL::CERTIFICATE_REQUEST: - add_to_history(c, is_orig, "r"); + add_to_history(c, is_client, "r"); break; case SSL::SERVER_HELLO_DONE: - add_to_history(c, is_orig, "n"); + add_to_history(c, is_client, "n"); break; case SSL::CERTIFICATE_VERIFY: - add_to_history(c, is_orig, "y"); + add_to_history(c, is_client, "y"); break; case SSL::CLIENT_KEY_EXCHANGE: - add_to_history(c, is_orig, "g"); + add_to_history(c, is_client, "g"); break; case SSL::FINISHED: - add_to_history(c, is_orig, "f"); + add_to_history(c, is_client, "f"); break; case SSL::CERTIFICATE_URL: - add_to_history(c, is_orig, "w"); + add_to_history(c, is_client, "w"); break; case SSL::CERTIFICATE_STATUS: - add_to_history(c, is_orig, "u"); + add_to_history(c, is_client, "u"); break; case SSL::SUPPLEMENTAL_DATA: - add_to_history(c, is_orig, "a"); + add_to_history(c, is_client, "a"); break; case SSL::KEY_UPDATE: - add_to_history(c, is_orig, "p"); + add_to_history(c, is_client, "p"); break; # message hash case 254: - add_to_history(c, is_orig, "m"); + add_to_history(c, is_client, "m"); break; default: - add_to_history(c, is_orig, "z"); + add_to_history(c, is_client, "z"); break; } } # Extension event is fired _before_ the respective client or server hello. # Important for client_ticket_empty_session_seen. -event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5 +event ssl_extension(c: connection, is_client: bool, code: count, val: string) &priority=5 { set_session(c); - if ( is_orig && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 ) + if ( is_client && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 ) # In this case, we might have an empty ID. Set back to F in client_hello event # if it is not empty after all. c$ssl$client_ticket_empty_session_seen = T; - else if ( is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY ) + else if ( is_client && code == SSL_EXTENSION_PRE_SHARED_KEY ) # In this case, the client sent a PSK extension which can be used for resumption c$ssl$client_psk_seen = T; - else if ( ! is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen ) + else if ( ! is_client && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen ) # In this case, the server accepted the PSK offered by the client. c$ssl$resumed = T; } -event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5 +event ssl_change_cipher_spec(c: connection, is_client: bool) &priority=5 { set_session(c); - add_to_history(c, is_orig, "i"); + add_to_history(c, is_client, "i"); - if ( is_orig && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen ) + if ( is_client && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen ) c$ssl$resumed = T; } -event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5 +event ssl_alert(c: connection, is_client: bool, level: count, desc: count) &priority=5 { set_session(c); - add_to_history(c, is_orig, "l"); + add_to_history(c, is_client, "l"); c$ssl$last_alert = alert_descriptions[desc]; } -event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) +event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) { set_session(c); - add_to_history(c, is_orig, "b"); + add_to_history(c, is_client, "b"); } event ssl_established(c: connection) &priority=7 @@ -489,7 +501,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) } } -event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) &priority=5 +event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5 { set_session(c); diff --git a/scripts/policy/protocols/ssl/decryption.zeek b/scripts/policy/protocols/ssl/decryption.zeek index b9be06ca89..3e6b601981 100644 --- a/scripts/policy/protocols/ssl/decryption.zeek +++ b/scripts/policy/protocols/ssl/decryption.zeek @@ -99,7 +99,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos set_secret(c, secrets[client_random]); } -event ssl_change_cipher_spec(c: connection, is_orig: bool) +event ssl_change_cipher_spec(c: connection, is_client: bool) { if ( c$ssl?$client_random ) { diff --git a/scripts/policy/protocols/ssl/heartbleed.zeek b/scripts/policy/protocols/ssl/heartbleed.zeek index aabafbff14..12841b232d 100644 --- a/scripts/policy/protocols/ssl/heartbleed.zeek +++ b/scripts/policy/protocols/ssl/heartbleed.zeek @@ -79,7 +79,7 @@ event zeek_init() min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40]; } -event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) +event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) { if ( ! c?$ssl ) return; @@ -97,7 +97,7 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: $identifier=cat(c$uid, length, payload_length) ]); } - else if ( is_orig ) + else if ( is_client ) { NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack, $msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length), @@ -118,9 +118,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: } } -event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) +event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count) { - if ( is_orig ) + if ( is_client ) ++c$ssl$originator_heartbeats; else ++c$ssl$responder_heartbeats; @@ -129,14 +129,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) if ( c$ssl$enc_appdata_packages == 0 ) NOTICE([$note=SSL_Heartbeat_Attack, - $msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig), + $msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client), $conn=c, $n=length, $identifier=fmt("%s%s", c$uid, "early") ]); else if ( duration < 1min ) NOTICE([$note=SSL_Heartbeat_Attack, - $msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %s", length, is_orig, duration), + $msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration), $conn=c, $n=length, $identifier=fmt("%s%s", c$uid, "early") @@ -158,7 +158,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats ]); - if ( is_orig && length < 19 ) + if ( is_client && length < 19 ) NOTICE([$note=SSL_Heartbeat_Odd_Length, $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration), $conn=c, @@ -192,7 +192,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) } - if ( is_orig ) + if ( is_client ) { if ( c$ssl?$last_responder_heartbeat_request_size ) { @@ -223,13 +223,13 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) } } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) { if ( !c?$ssl ) return; if ( content_type == SSL::HEARTBEAT ) - event ssl_encrypted_heartbeat(c, is_orig, length); + event ssl_encrypted_heartbeat(c, is_client, length); else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) ) { ++c$ssl$enc_appdata_packages; diff --git a/scripts/policy/protocols/ssl/ssl-log-ext.zeek b/scripts/policy/protocols/ssl/ssl-log-ext.zeek index a1d7f3e612..844111e7ca 100644 --- a/scripts/policy/protocols/ssl/ssl-log-ext.zeek +++ b/scripts/policy/protocols/ssl/ssl-log-ext.zeek @@ -73,12 +73,12 @@ event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, t c$ssl$ticket_lifetime_hint = ticket_lifetime_hint; } -event ssl_extension(c: connection, is_orig: bool, code: count, val: string) +event ssl_extension(c: connection, is_client: bool, code: count, val: string) { if ( ! c?$ssl ) return; - if ( is_orig ) + if ( is_client ) { if ( ! c$ssl?$ssl_client_exts ) c$ssl$ssl_client_exts = vector(); @@ -92,28 +92,28 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string) } } -event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec) +event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec) { - if ( ! c?$ssl || ! is_orig ) + if ( ! c?$ssl || ! is_client ) return; c$ssl$point_formats = point_formats; } -event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec) +event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec) { - if ( ! c?$ssl || ! is_orig ) + if ( ! c?$ssl || ! is_client ) return; c$ssl$client_curves = curves; } -event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, names: string_vec) +event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, names: string_vec) { if ( ! c?$ssl ) return; - if ( is_orig ) + if ( is_client ) c$ssl$orig_alpn = names; } @@ -126,39 +126,39 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) c$ssl$dh_param_size = key_length; } -event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) +event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec) { if ( ! c?$ssl ) return; - if ( is_orig ) + if ( is_client ) c$ssl$client_supported_versions = versions; else c$ssl$server_supported_version = versions[0]; } - event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) + event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec) { - if ( ! c?$ssl || ! is_orig ) + if ( ! c?$ssl || ! is_client ) return; c$ssl$psk_key_exchange_modes = modes; } -event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) +event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec) { if ( ! c?$ssl ) return; - if ( is_orig ) + if ( is_client ) c$ssl$client_key_share_groups = curves; else c$ssl$server_key_share_group = curves[0]; } -event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec) +event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec) { - if ( ! c?$ssl || ! is_orig ) + if ( ! c?$ssl || ! is_client ) return; local sigalgs: index_vec = vector(); diff --git a/scripts/policy/protocols/ssl/validate-ocsp.zeek b/scripts/policy/protocols/ssl/validate-ocsp.zeek index 545c499350..3c2c3f6c95 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.zeek +++ b/scripts/policy/protocols/ssl/validate-ocsp.zeek @@ -31,7 +31,7 @@ export { # certificate chain is seen. global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 +event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) &priority=3 { c$ssl$ocsp_response = response; } diff --git a/scripts/policy/protocols/ssl/validate-sct.zeek b/scripts/policy/protocols/ssl/validate-sct.zeek index 796cd127a7..d17caa94d1 100644 --- a/scripts/policy/protocols/ssl/validate-sct.zeek +++ b/scripts/policy/protocols/ssl/validate-sct.zeek @@ -74,7 +74,7 @@ event zeek_init() Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); } -event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5 +event ssl_extension_signed_certificate_timestamp(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5 { c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT); } diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc index 7ddd714989..d593b57b10 100644 --- a/src/analyzer/protocol/ssl/DTLS.cc +++ b/src/analyzer/protocol/ssl/DTLS.cc @@ -83,4 +83,9 @@ bool DTLS_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool return false; } +bool DTLS_Analyzer::GetFlipped() + { + return handshake_interp->flipped(); + } + } // namespace zeek::analyzer::dtls diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h index 1642cb4a6c..d5b908a51a 100644 --- a/src/analyzer/protocol/ssl/DTLS.h +++ b/src/analyzer/protocol/ssl/DTLS.h @@ -39,6 +39,14 @@ public: static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); } + /** + * Check if the connection is flipped--meaning that the TLS client is the responder of the + * connection. + * + * @return True if connection is flipped. + */ + bool GetFlipped(); + /** * Try to decrypt TLS application data from a packet. * diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 2d8d194e59..c7312466c8 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -413,4 +413,9 @@ void SSL_Analyzer::ForwardDecryptedData(const std::vector& data, bool is ForwardStream(data.size(), data.data(), is_orig); } +bool SSL_Analyzer::GetFlipped() + { + return handshake_interp->flipped(); + } + } // namespace zeek::analyzer::ssl diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index 5fdbc27dca..e8c113b48e 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -97,6 +97,14 @@ public: */ void SetKeys(const std::vector newkeys); + /** + * Check if the connection is flipped--meaning that the TLS client is the responder of the + * connection. + * + * @return True if connection is flipped. + */ + bool GetFlipped(); + protected: /** * Try to decrypt TLS application data from a packet. Requires secret or keys to be set prior. diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 25bc34398b..01f294f913 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -34,7 +34,7 @@ ## ssl_session_ticket_handshake x509_certificate ssl_handshake_message ## ssl_change_cipher_spec ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params -## ssl_rsa_client_pms +## ssl_rsa_client_pms ssl_connection_flipped event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%); ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions @@ -78,7 +78,7 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po ## ssl_session_ticket_handshake x509_certificate ## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params -## ssl_rsa_client_pms +## ssl_rsa_client_pms ssl_connection_flipped event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%); ## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS @@ -90,7 +90,9 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## code: The numerical code of the extension. The values are standardized as ## part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps @@ -104,7 +106,8 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); +## ssl_connection_flipped +event ssl_extension%(c: connection, is_client: bool, code: count, val: string%); ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is ## defined in :rfc:`4492` and sent by the client in the initial handshake. It @@ -112,7 +115,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## curves: List of supported elliptic curves. ## @@ -124,7 +129,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%); +event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: index_vec%); ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension ## is defined in :rfc:`4492` and sent by the client and/or server in the initial @@ -133,7 +138,9 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## point_formats: List of supported point formats. ## @@ -146,7 +153,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%); +event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_formats: index_vec%); ## Generated for an Signature Algorithms extension. This TLS extension ## is defined in :rfc:`5246` and sent by the client in the initial @@ -155,7 +162,9 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## signature_algorithms: List of supported signature and hash algorithm pairs. ## @@ -167,7 +176,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%); +event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec%); ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 ## and sent by the client and the server in the initial handshake. It gives the list of @@ -175,7 +184,9 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ## c: The connection. ## -## is_orig: True if event is raised for the originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## curves: List of supported/chosen named groups. ## @@ -187,7 +198,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%); +event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec%); ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello. ## @@ -196,7 +207,9 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ## c: The connection. ## -## is_orig: True if event is raised for the originator side of the connection +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## identities: A list of the identities the client is willing to negotiate with the server. ## @@ -209,13 +222,15 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello -event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%); +event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec%); ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello. ## ## c: The connection. ## -## is_orig: True if event is raised for the originator side of the connection +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## selected_identity: The identity the server chose as a 0-based index into the identities ## the client sent. @@ -227,7 +242,7 @@ event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, i ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello -event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%); +event ssl_extension_pre_shared_key_server_hello%(c: connection, is_client: bool, selected_identity: count%); ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve ## This event contains the named curve name and the server ECDH parameters contained @@ -332,7 +347,9 @@ event ssl_rsa_client_pms%(c: connection, pms: string%); ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## protocols: List of supported application layer protocols. ## @@ -343,7 +360,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%); ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%); +event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_client: bool, protocols: string_vec%); ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is ## defined in :rfc:`3546` and sent by the client in the initial handshake. It @@ -353,7 +370,9 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## names: A list of server names (DNS hostnames). ## @@ -365,7 +384,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); +event ssl_extension_server_name%(c: connection, is_client: bool, names: string_vec%); ## Generated for the signed_certificate_timestamp TLS extension as defined in ## :rfc:`6962`. The extension is used to transmit signed proofs that are @@ -373,7 +392,9 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## version: the version of the protocol to which the SCT conforms. Always ## should be 0 (representing version 1) @@ -396,7 +417,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ssl_extension_application_layer_protocol_negotiation ## x509_ocsp_ext_signed_certificate_timestamp sct_verify ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); +event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated for an TLS Supported Versions extension. This TLS extension ## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. @@ -405,7 +426,9 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## versions: List of supported TLS versions. ## @@ -416,14 +439,16 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, ## ssl_extension_key_share ssl_extension_server_name ## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%); +event ssl_extension_supported_versions%(c: connection, is_client: bool, versions: index_vec%); ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined ## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the ## list of Pre-Shared Key Exchange Modes that it supports. ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## versions: List of supported Pre-Shared Key Exchange Modes. ## @@ -434,7 +459,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: ## ssl_extension_key_share ssl_extension_server_name ## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%); +event ssl_extension_psk_key_exchange_modes%(c: connection, is_client: bool, modes: index_vec%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Zeek extracts as much information out of that @@ -462,7 +487,9 @@ event ssl_established%(c: connection%); ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## level: The severity level, as sent in the *alert*. The values are defined as ## part of the SSL/TLS protocol. @@ -472,7 +499,7 @@ event ssl_established%(c: connection%); ## ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake -event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); +event ssl_alert%(c: connection, is_client: bool, level: count, desc: count%); ## Generated for SSL/TLS handshake messages that are a part of the ## stateless-server session resumption mechanism. SSL/TLS sessions start with @@ -501,7 +528,9 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## length: length of the entire heartbeat message. ## @@ -515,7 +544,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_encrypted_data -event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%); +event ssl_heartbeat%(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%); ## Generated for SSL/TLS messages that are sent before full session encryption ## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3; @@ -526,7 +555,9 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## record_version: TLS version given in the record layer of the message. ## Set to 0 for SSLv2. @@ -538,7 +569,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type ## ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat -event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); +event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%); ## Generated for SSL/TLS messages that are sent after session encryption ## started. @@ -548,7 +579,9 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## record_version: TLS version given in the record layer of the message. ## Set to 0 for SSLv2. @@ -560,7 +593,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c ## ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message -event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); +event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%); ## This event is generated for application data records of TLS 1.3 connections of which ## we suspect that they contain handshake messages. @@ -587,13 +620,15 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, c ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## length: length of the entire message. ## ## .. zeek:see:: ssl_client_hello ssl_established ssl_server_hello ## ssl_encrypted_data -event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, length: count%); +event ssl_probable_encrypted_handshake_message%(c: connection, is_client: bool, length: count%); ## This event contains the OCSP response contained in a Certificate Status Request ## message, when the client requested OCSP stapling and the server supports it. @@ -601,16 +636,20 @@ event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, le ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## response: OCSP data. -event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); +event ssl_stapled_ocsp%(c: connection, is_client: bool, response: string%); ## This event is raised for each unencrypted SSL/TLS handshake message. ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## msg_type: Type of the handshake message that was seen. ## @@ -618,17 +657,33 @@ event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); ## ## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello -## ssl_change_cipher_spec -event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, length: count%); +## ssl_change_cipher_spec ssl_connection_flipped +event ssl_handshake_message%(c: connection, is_client: bool, msg_type: count, length: count%); ## This event is raised when a SSL/TLS ChangeCipherSpec message is encountered ## before encryption begins. Traffic will be encrypted following this message. ## ## c: The connection. ## -## is_orig: True if event is raised for originator side of the connection. +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. ## ## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_handshake_message -event ssl_change_cipher_spec%(c: connection, is_orig: bool%); +event ssl_change_cipher_spec%(c: connection, is_client: bool%); + +## Zeek typically assumes that the originator of a connection is the client of the SSL/TLS +## session. In some scenarios this does not hold, and the responder of a connection is the +## client, and the initiator is the server. +## +## In these cases, Zeek raises this event. Connection direction is detected by looking at the +## server hello, client hello, and hello request handshake messages. +## +## c: The connection. +## +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate ssl_client_hello +## ssl_handshake_message +event ssl_connection_flipped%(c: connection%); diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index a739a35d05..853347eaf6 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -3,10 +3,18 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool if ( certificates->size() == 0 ) return true; + // this has to execute in both contexts, ssl and tls-handshake. In one we have flipped_, + // in the other we have ssl_analyzer()->GetFlipped(). And in both cases the other case + // does not work (and cannot be made to work easily). + +#ifndef USE_FLIPPED + bool flipped_ = zeek_analyzer()->GetFlipped(); +#endif + zeek::ODesc common; common.AddRaw("Analyzer::ANALYZER_SSL"); common.Add(zeek_analyzer()->Conn()->StartTime()); - common.AddRaw(is_orig ? "T" : "F", 1); + common.AddRaw(is_orig ^ flipped_ ? "T" : "F", 1); zeek_analyzer()->Conn()->IDString(&common); static const string user_mime = "application/x-x509-user-cert"; @@ -31,7 +39,7 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), cert.length(), zeek_analyzer()->GetAnalyzerTag(), - zeek_analyzer()->Conn(), is_orig, + zeek_analyzer()->Conn(), is_orig ^ flipped_, file_id, i == 0 ? user_mime : ca_mime); zeek::file_mgr->EndOfFile(file_id); } diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index 8ddecbe318..78cbc08821 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -34,7 +34,7 @@ refine connection SSL_Conn += { %{ if ( ssl_alert ) zeek::BifEvent::enqueue_ssl_alert(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, level, desc); + ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), level, desc); return true; %} function proc_unknown_record(rec: SSLRecord) : bool @@ -66,13 +66,13 @@ refine connection SSL_Conn += { if ( ssl_encrypted_data ) { zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); + zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); } if ( rec->content_type() == APPLICATION_DATA && decryption_failed_ == false ) { // If decryption of one packet fails, do not try to decrypt future packets. - if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) ) + if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig() ^ zeek_analyzer()->GetFlipped(), rec->content_type(), rec->raw_tls_version()) ) decryption_failed_ = true; } @@ -83,7 +83,7 @@ refine connection SSL_Conn += { %{ if ( ssl_plaintext_data ) zeek::BifEvent::enqueue_ssl_plaintext_data(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); + zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); return true; %} @@ -92,7 +92,7 @@ refine connection SSL_Conn += { %{ if ( ssl_heartbeat ) zeek::BifEvent::enqueue_ssl_heartbeat(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, + zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.length}, type, payload_length, zeek::make_intrusive(data.length(), (const char*) data.data())); return true; %} @@ -114,7 +114,7 @@ refine connection SSL_Conn += { %{ if ( ssl_change_cipher_spec ) zeek::BifEvent::enqueue_ssl_change_cipher_spec(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}); + zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped()); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 0f222ae682..136821fc9a 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -161,7 +161,7 @@ refine connection Handshake_Conn += { if ( ssl_extension ) zeek::BifEvent::enqueue_ssl_extension(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, type, + zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, type, zeek::make_intrusive(length, reinterpret_cast(data))); return true; %} @@ -180,7 +180,7 @@ refine connection Handshake_Conn += { } zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(points)); + ${rec.is_orig} ^ flipped_, std::move(points)); return true; %} @@ -199,7 +199,7 @@ refine connection Handshake_Conn += { } zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(curves)); + ${rec.is_orig} ^ flipped_, std::move(curves)); return true; %} @@ -217,7 +217,7 @@ refine connection Handshake_Conn += { nglist->Assign(i, zeek::val_mgr->Count((*keyshare)[i]->namedgroup())); } - zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); + zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist)); return true; %} @@ -230,7 +230,7 @@ refine connection Handshake_Conn += { auto nglist = zeek::make_intrusive(zeek::id::index_vec); nglist->Assign(0u, zeek::val_mgr->Count(keyshare->namedgroup())); - zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); + zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist)); return true; %} @@ -242,7 +242,7 @@ refine connection Handshake_Conn += { auto nglist = zeek::make_intrusive(zeek::id::index_vec); nglist->Assign(0u, zeek::val_mgr->Count(namedgroup)); - zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); + zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist)); return true; %} @@ -264,7 +264,7 @@ refine connection Handshake_Conn += { } } - zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(slist)); + zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(slist)); return true; %} @@ -283,7 +283,7 @@ refine connection Handshake_Conn += { } zeek::BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(plist)); + ${rec.is_orig} ^ flipped_, std::move(plist)); return true; %} @@ -312,7 +312,7 @@ refine connection Handshake_Conn += { if ( ssl_extension_server_name ) zeek::BifEvent::enqueue_ssl_extension_server_name(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(servers)); + ${rec.is_orig} ^ flipped_, std::move(servers)); return true; %} @@ -331,7 +331,7 @@ refine connection Handshake_Conn += { } zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(versions)); + ${rec.is_orig} ^ flipped_, std::move(versions)); return true; %} @@ -345,7 +345,7 @@ refine connection Handshake_Conn += { versions->Assign(0u, zeek::val_mgr->Count(version)); zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(versions)); + ${rec.is_orig} ^ flipped_, std::move(versions)); return true; %} @@ -364,7 +364,7 @@ refine connection Handshake_Conn += { } zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(modes)); + ${rec.is_orig} ^ flipped_, std::move(modes)); return true; %} @@ -412,7 +412,7 @@ refine connection Handshake_Conn += { if ( ssl_stapled_ocsp ) zeek::BifEvent::enqueue_ssl_stapled_ocsp(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, + ${rec.is_orig} ^ flipped_, zeek::make_intrusive(response.length(), (const char*) response.data())); zeek::file_mgr->EndOfFile(file_id); @@ -515,7 +515,7 @@ refine connection Handshake_Conn += { ha->Assign(1, digitally_signed_algorithms->SignatureAlgorithm()); zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, + zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, version, zeek::make_intrusive(logid.length(), reinterpret_cast(logid.begin())), timestamp, @@ -578,7 +578,7 @@ refine connection Handshake_Conn += { %{ if ( ssl_handshake_message ) zeek::BifEvent::enqueue_ssl_handshake_message(zeek_analyzer(), - zeek_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); + zeek_analyzer()->Conn(), is_orig ^ flipped_, msg_type, to_int()(length)); return true; %} @@ -610,7 +610,7 @@ refine connection Handshake_Conn += { } zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(), - ${rec.is_orig}, std::move(slist), std::move(blist)); + ${rec.is_orig} ^ flipped_, std::move(slist), std::move(blist)); return true; %} @@ -621,7 +621,7 @@ refine connection Handshake_Conn += { return true; zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, selected_identity); + zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, selected_identity); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 357bd77909..8cbc1ed868 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -61,7 +61,9 @@ type UnknownHandshake(hs: HandshakeRecord, is_orig: bool) = record { ###################################################################### # Hello Request is empty -type HelloRequest(rec: HandshakeRecord) = empty; +type HelloRequest(rec: HandshakeRecord) = record { + direction_check : DirectionCheck(false, rec); # should be sent by responder +}; ###################################################################### @@ -69,6 +71,7 @@ type HelloRequest(rec: HandshakeRecord) = empty; ###################################################################### type ClientHello(rec: HandshakeRecord) = record { + direction_check : DirectionCheck(true, rec); # should be sent by originator client_version : uint16; gmt_unix_time : uint32; random_bytes : bytestring &length = 28; @@ -100,6 +103,7 @@ type ClientHelloCookie(rec: HandshakeRecord) = record { # TLS 1.3 server hello is different from earlier versions. Trick around a # bit, route 1.3 requests to a different record than earlier. type ServerHelloChoice(rec: HandshakeRecord) = record { + direction_check : DirectionCheck(false, rec); # should be sent by responder server_version0 : uint8; server_version1 : uint8; hello: case parsed_version of { @@ -140,6 +144,13 @@ type ServerHello13(rec: HandshakeRecord, server_version: uint16) = record { $context.connection.set_cipher(cipher_suite[0]); }; +# Used to check if originator/responder are reversed for this connection + +type DirectionCheck(desired: bool, rec: HandshakeRecord) = record { +} &let { + proc : bool = $context.connection.check_flipped(desired, rec.is_orig); +}; + ###################################################################### # DTLS Hello Verify Request ###################################################################### @@ -785,7 +796,7 @@ type SSLExtension(rec: HandshakeRecord) = record { %include tls-handshake-signed_certificate_timestamp.pac -type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of { +type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case ( rec.is_orig ^ $context.connection.flipped() ) of { true -> a: SupportedVersions(rec); false -> b: OneSupportedVersion(rec); } @@ -946,9 +957,13 @@ refine connection Handshake_Conn += { bytestring client_random_; bytestring server_random_; uint32 gmt_unix_time_; + bool flipped_; + bool already_alerted_; %} %init{ + flipped_ = false; + already_alerted_ = false; chosen_cipher_ = NO_CHOSEN_CIPHER; chosen_version_ = UNKNOWN_VERSION; @@ -985,6 +1000,39 @@ refine connection Handshake_Conn += { return true; %} + function check_flipped(desired: bool, is_orig: bool) : bool + %{ + if ( flipped_ ) + { + if ( desired == is_orig ) + { + // well, I guess we get to flip it back - and alert on this + flipped_ = false; + zeek::BifEvent::enqueue_ssl_connection_flipped(zeek_analyzer(), zeek_analyzer()->Conn()); + if ( ! already_alerted_ ) + { + already_alerted_ = true; + zeek_analyzer()->Weird("SSL_unclear_connection_direction"); + } + } + } + else + { + if ( desired != is_orig ) + { + flipped_ = true; + zeek::BifEvent::enqueue_ssl_connection_flipped(zeek_analyzer(), zeek_analyzer()->Conn()); + } + } + + return true; + %} + + function flipped() : bool + %{ + return flipped_; + %} + function record_version() : uint16 %{ return record_version_; %} function set_record_version(version: uint16) : bool diff --git a/src/analyzer/protocol/ssl/tls-handshake.pac b/src/analyzer/protocol/ssl/tls-handshake.pac index 00193bca72..d1ca8b973c 100644 --- a/src/analyzer/protocol/ssl/tls-handshake.pac +++ b/src/analyzer/protocol/ssl/tls-handshake.pac @@ -8,6 +8,7 @@ #include "zeek/analyzer/protocol/ssl/types.bif.h" #include "zeek/analyzer/protocol/ssl/events.bif.h" +#define USE_FLIPPED %} analyzer TLSHandshake withcontext { diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout new file mode 100644 index 0000000000..f269e6abc1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout @@ -0,0 +1,9 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +T, 11 +T, 10 +T, 15 +T, 14 +65279, \x8ev\xfa \xbf\x84\xd0[\xddQ\xe8\xce\xdb!\xdf\x8f\xa6kW\xc3zC\xb4\xa0z\x09o~, \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00, [49172, 49162, 57, 56, 55, 54, 136, 135, 134, 133, 49177, 58, 137, 49167, 49157, 53, 132, 49171, 49161, 51, 50, 49, 48, 154, 153, 152, 151, 69, 68, 67, 66, 49176, 52, 155, 70, 49166, 49156, 47, 150, 65, 7, 49170, 49160, 22, 19, 16, 13, 49175, 27, 49165, 49155, 10, 21, 18, 15, 12, 26, 9, 20, 17, 14, 11, 25, 8, 6, 49168, 49158, 49173, 49163, 49153, 2, 1, 255] +F, 11 +F, 14 +F, 65281 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log index 5b18ec8236..7d76058a83 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps subject issuer client_subject client_issuer sni_matches_cert #types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] string string string string bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.82 51462 74.201.205.9 43044 DTLSv10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T cSXKRNxgyiI d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f 968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=a CN=a - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.82 51462 74.201.205.9 43044 DTLSv10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T ^CsxkrnXGYIi 968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f CN=a CN=a CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log index 1ceb94cfbe..4f736ee08c 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_client: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log index 0106c7ee75..33b6bf3f87 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_client: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log index 26e54341b3..86812170a0 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_client: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test index dd10cedbdb..4e31697647 100644 --- a/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test @@ -2,6 +2,7 @@ # @TEST-EXEC: btest-diff ssl.log # @TEST-EXEC: touch dpd.log # @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: btest-diff .stdout @load base/protocols/ssl @load base/frameworks/dpd @@ -14,3 +15,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos print version, client_random, session_id, ciphers; } +event ssl_extension(c: connection, is_client: bool, code: count, val: string) + { + print is_client, code; + } diff --git a/testing/btest/scripts/base/protocols/ssl/handshake-events.test b/testing/btest/scripts/base/protocols/ssl/handshake-events.test index 0b45bebc02..4687077ee5 100644 --- a/testing/btest/scripts/base/protocols/ssl/handshake-events.test +++ b/testing/btest/scripts/base/protocols/ssl/handshake-events.test @@ -12,22 +12,22 @@ event ssl_established(c: connection) print "Established", c$id$orig_h, c$id$resp_h; } -event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) +event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count) { - print "Handshake", c$id$orig_h, c$id$resp_h, is_orig, msg_type, length; + print "Handshake", c$id$orig_h, c$id$resp_h, is_client, msg_type, length; } -event ssl_change_cipher_spec(c: connection, is_orig: bool) +event ssl_change_cipher_spec(c: connection, is_client: bool) { - print "CCS", c$id$orig_h, c$id$resp_h, is_orig; + print "CCS", c$id$orig_h, c$id$resp_h, is_client; } -event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) +event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) { - print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; + print "Plaintext data", c$id$orig_h, c$id$resp_h, is_client, SSL::version_strings[record_version], content_type, length; } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) { - print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; + print "Encrypted data", c$id$orig_h, c$id$resp_h, is_client, SSL::version_strings[record_version], content_type, length; } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 0534bd8a4f..4e5a20a2ce 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -7,12 +7,12 @@ redef SSL::root_certs += { ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", }; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) chain[i] = c$ssl$cert_chain[i]$x509$handle; - print is_orig, |response|; + print is_client, |response|; print x509_ocsp_verify(chain, response, SSL::root_certs); } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index e2201c3218..9c6ac0b9df 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -26,7 +26,7 @@ redef record SSL::Info += { ct_proofs: vector of LogInfo &default=vector(); }; -event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) +event ssl_extension_signed_certificate_timestamp(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature); diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test index 7e34aef9ca..89df402fc9 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test +++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test @@ -5,31 +5,31 @@ @load base/protocols/ssl -event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec) +event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec) { print "Curves", c$id$orig_h, c$id$resp_h; for ( i in curves ) print SSL::ec_curves[curves[i]]; } -event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec) +event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec) { - print "Point formats", c$id$orig_h, c$id$resp_h, is_orig; + print "Point formats", c$id$orig_h, c$id$resp_h, is_client; for ( i in point_formats ) print SSL::ec_point_formats[point_formats[i]]; } -event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec) +event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec) { print "ALPN", c$id$orig_h, c$id$resp_h, protocols; } -event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) +event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec) { print "server_name", c$id$orig_h, c$id$resp_h, names; } -event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm) +event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm) { print "signature_algorithm", c$id$orig_h, c$id$resp_h; for ( i in signature_algorithms) @@ -38,26 +38,26 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_ } } -event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) +event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec) { print "supported_versions", c$id$orig_h, c$id$resp_h; for ( i in versions ) print SSL::version_strings[versions[i]]; } -event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) +event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec) { print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h; for ( i in modes ) print modes[i]; } -event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec) +event ssl_extension_pre_shared_key_client_hello(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec) { print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders; } -event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count) +event ssl_extension_pre_shared_key_server_hello(c: connection, is_client: bool, selected_identity: count) { print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity; } diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test index 92c47777de..520265e4bc 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test @@ -14,8 +14,8 @@ @load base/protocols/ssl -event ssl_extension(c: connection, is_orig: bool, code: count, val: string) +event ssl_extension(c: connection, is_client: bool, code: count, val: string) { - if ( ! is_orig && code == 43 ) + if ( ! is_client && code == 43 ) print bytestring_to_hexstr(val); } diff --git a/testing/btest/scripts/base/protocols/ssl/tls13.test b/testing/btest/scripts/base/protocols/ssl/tls13.test index 875149ce80..d7424f7a65 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13.test @@ -23,9 +23,9 @@ redef SSL::disable_analyzer_after_detection=F; -event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) +event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec) { - print "key_share", c$id, is_orig; + print "key_share", c$id, is_client; for ( i in curves ) { print SSL::ec_curves[curves[i]]; @@ -37,9 +37,9 @@ event ssl_established(c: connection) print "established", c$id; } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) { - print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; + print "encrypted", c$id, is_client, SSL::version_strings[record_version], content_type; } event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5 diff --git a/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test b/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test index 3293315723..213736f6a3 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test @@ -6,9 +6,9 @@ redef SSL::disable_analyzer_after_detection=F; -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) +event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) { - print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; + print "encrypted", c$id, is_client, SSL::version_strings[record_version], content_type; } event ssl_established(c: connection) @@ -16,7 +16,7 @@ event ssl_established(c: connection) print "Established!"; } -event ssl_probable_encrypted_handshake_message(c: connection, is_orig: bool, length: count) +event ssl_probable_encrypted_handshake_message(c: connection, is_client: bool, length: count) { - print "Probable handshake", is_orig, length; + print "Probable handshake", is_client, length; }