Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

SSL Analyzer: track connection direction by messages

Browse source 
This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.
This commit is contained in:
Johanna Amann 2022-06-24 19:27:13 +02:00 committed by Johanna Amann
parent a7aa345c76
commit e14eddeb97
30 changed files with 344 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

8
testing/btest/scripts/base/protocols/ssl/tls13.test
View file

@ -23,9 +23,9 @@
redef SSL::disable_analyzer_after_detection=F;
event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
{
print "key_share", c$id, is_orig;
print "key_share", c$id, is_client;
for ( i in curves )
{
print SSL::ec_curves[curves[i]];
@ -37,9 +37,9 @@ event ssl_established(c: connection)
print "established", c$id;
}
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
print "encrypted", c$id, is_client, SSL::version_strings[record_version], content_type;
}
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5