SSL Analyzer: track connection direction by messages

This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
2025-10-02 22:58:20 +00:00 · 2022-06-24 19:27:13 +02:00 · 2022-06-24 19:27:13 +02:00 · e14eddeb97
commit e14eddeb97
parent a7aa345c76
30 changed files with 344 additions and 179 deletions
--- a/scripts/policy/protocols/ssl/validate-ocsp.zeek
+++ b/scripts/policy/protocols/ssl/validate-ocsp.zeek
@ -31,7 +31,7 @@ export {
 # certificate chain is seen.
 global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;

-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3
+event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) &priority=3
 	{
 	c$ssl$ocsp_response = response;
 	}