mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 00:28:21 +00:00
SSL Analyzer: track connection direction by messages
This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
This commit is contained in:
Johanna Amann
Johanna Amann
parent
a7aa345c76
commit
e14eddeb97
30 changed files with 344 additions and 179 deletions
|
|
@ -79,7 +79,7 @@ event zeek_init()
|
|||
min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
|
||||
}
|
||||
|
||||
event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
|
||||
event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
|
||||
{
|
||||
if ( ! c?$ssl )
|
||||
return;
|
||||
|
|
@ -97,7 +97,7 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
|
|||
$identifier=cat(c$uid, length, payload_length)
|
||||
]);
|
||||
}
|
||||
else if ( is_orig )
|
||||
else if ( is_client )
|
||||
{
|
||||
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
|
||||
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
|
||||
|
|
@ -118,9 +118,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
|
|||
}
|
||||
}
|
||||
|
||||
event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
||||
event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
|
||||
{
|
||||
if ( is_orig )
|
||||
if ( is_client )
|
||||
++c$ssl$originator_heartbeats;
|
||||
else
|
||||
++c$ssl$responder_heartbeats;
|
||||
|
|
@ -129,14 +129,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
|
||||
if ( c$ssl$enc_appdata_packages == 0 )
|
||||
NOTICE([$note=SSL_Heartbeat_Attack,
|
||||
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig),
|
||||
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
|
||||
$conn=c,
|
||||
$n=length,
|
||||
$identifier=fmt("%s%s", c$uid, "early")
|
||||
]);
|
||||
else if ( duration < 1min )
|
||||
NOTICE([$note=SSL_Heartbeat_Attack,
|
||||
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %s", length, is_orig, duration),
|
||||
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
|
||||
$conn=c,
|
||||
$n=length,
|
||||
$identifier=fmt("%s%s", c$uid, "early")
|
||||
|
|
@ -158,7 +158,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
|
||||
]);
|
||||
|
||||
if ( is_orig && length < 19 )
|
||||
if ( is_client && length < 19 )
|
||||
NOTICE([$note=SSL_Heartbeat_Odd_Length,
|
||||
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
|
||||
$conn=c,
|
||||
|
|
@ -192,7 +192,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
|
||||
}
|
||||
|
||||
if ( is_orig )
|
||||
if ( is_client )
|
||||
{
|
||||
if ( c$ssl?$last_responder_heartbeat_request_size )
|
||||
{
|
||||
|
|
@ -223,13 +223,13 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
}
|
||||
}
|
||||
|
||||
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
|
||||
event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
|
||||
{
|
||||
if ( !c?$ssl )
|
||||
return;
|
||||
|
||||
if ( content_type == SSL::HEARTBEAT )
|
||||
event ssl_encrypted_heartbeat(c, is_orig, length);
|
||||
event ssl_encrypted_heartbeat(c, is_client, length);
|
||||
else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) )
|
||||
{
|
||||
++c$ssl$enc_appdata_packages;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue