Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SSL Analyzer: track connection direction by messages

Browse source 
This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.
This commit is contained in:
Johanna Amann 2022-06-24 19:27:13 +02:00 committed by Johanna Amann
parent a7aa345c76
commit e14eddeb97
30 changed files with 344 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

2
testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps subject issuer client_subject client_issuer sni_matches_cert
#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] string string string string bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.82 51462 74.201.205.9 43044 DTLSv10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T cSXKRNxgyiI d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f 968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=a CN=a -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.82 51462 74.201.205.9 43044 DTLSv10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T ^CsxkrnXGYIi 968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f CN=a CN=a CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US -
#close XXXX-XX-XX-XX-XX-XX