Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

SSL Analyzer: track connection direction by messages

Browse source 
This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.
This commit is contained in:
Johanna Amann 2022-06-24 19:27:13 +02:00 committed by Johanna Amann
parent a7aa345c76
commit e14eddeb97
30 changed files with 344 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

32
scripts/policy/protocols/ssl/ssl-log-ext.zeek
View file

@ -73,12 +73,12 @@ event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, t
c$ssl$ticket_lifetime_hint = ticket_lifetime_hint;
}
event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
event ssl_extension(c: connection, is_client: bool, code: count, val: string)
{
if ( ! c?$ssl )
return;
if ( is_orig )
if ( is_client )
{
if ( ! c$ssl?$ssl_client_exts )
c$ssl$ssl_client_exts = vector();
@ -92,28 +92,28 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
}
}
event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
{
if ( ! c?$ssl || ! is_orig )
if ( ! c?$ssl || ! is_client )
return;
c$ssl$point_formats = point_formats;
}
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
{
if ( ! c?$ssl || ! is_orig )
if ( ! c?$ssl || ! is_client )
return;
c$ssl$client_curves = curves;
}
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, names: string_vec)
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, names: string_vec)
{
if ( ! c?$ssl )
return;
if ( is_orig )
if ( is_client )
c$ssl$orig_alpn = names;
}
@ -126,39 +126,39 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
c$ssl$dh_param_size = key_length;
}
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
{
if ( ! c?$ssl )
return;
if ( is_orig )
if ( is_client )
c$ssl$client_supported_versions = versions;
else
c$ssl$server_supported_version = versions[0];
}
event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
{
if ( ! c?$ssl || ! is_orig )
if ( ! c?$ssl || ! is_client )
return;
c$ssl$psk_key_exchange_modes = modes;
}
event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
{
if ( ! c?$ssl )
return;
if ( is_orig )
if ( is_client )
c$ssl$client_key_share_groups = curves;
else
c$ssl$server_key_share_group = curves[0];
}
event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec)
event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec)
{
if ( ! c?$ssl || ! is_orig )
if ( ! c?$ssl || ! is_client )
return;
local sigalgs: index_vec = vector();