Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

SSL: Fix logging of Hello Retry Requests

Browse source 
It turns out that we never logged hello retry requests correctly in the
ssl_history field.

Hello retry requests are (in their final version) signaled by a specific
random value in the server random.

This commit fixes this oversight, and hello retry requests are now
correctly logged as such.
This commit is contained in:
Johanna Amann 2023-05-03 13:34:48 +01:00
parent cc25129b2f
commit e7c9fa1f6e
2 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/ssl/main.zeek
View file

@ -68,6 +68,9 @@ export {
## Flag to indicate if this record already has been logged, to
## prevent duplicates.
logged: bool &default=F;
## Flag to indicate that we have seen a Hello Retry request message.
## Used internally for ssl_history logging
hrr_seen: bool &default=F;
## SSL history showing which types of packets we received in which order.
## Letters have the following meaning with client-sent letters being capitalized:
@ -283,6 +286,10 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
}
c$ssl$cipher = cipher_desc[cipher];
# Check if this is a hello retry request. A magic value in the random is used to signal this
if ( server_random == "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" )
c$ssl$hrr_seen = T;
if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
c$ssl$resumed = T;
}
@ -360,6 +367,13 @@ event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, len
add_to_history(c, is_client, "c");
break;
case SSL::SERVER_HELLO:
if ( c$ssl$hrr_seen )
{
# the server_hello event is raised first, and sets the flag
add_to_history(c, is_client, "j");
c$ssl$hrr_seen = F;
}
else
add_to_history(c, is_client, "s");
break;
case SSL::HELLO_VERIFY_REQUEST:

2
testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
View file

@ -61,5 +61,5 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.178.80 54220 174.138.9.219 443 TLSv1
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert
#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.192.48.168 63564 64.233.185.139 443 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 - F - - T CsiICs - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.192.48.168 63564 64.233.185.139 443 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 - F - - T CjiICs - - -
#close XXXX-XX-XX-XX-XX-XX