From ea1616bed5da03690bf15a8c9f46d0e23122aea9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 4 Mar 2014 13:58:58 -0800
Subject: [PATCH] At the moment, SSL connections where the ssl_established
 event does not fire are not logged.

That means that, for example, connections that are terminated with an alert during the
handshake never appear in the ssl.log.

This patch changes this behavior - now all ssl connections that fire any event are logged.

The protocol confirmation of the ssl analyzer is moved to the client_hello instead to
the server hello. Furthermore, an additional field is added to ssl.log, which indicates
if a connection has been established or not (which probably indicates a handshake problem).
---
 scripts/base/protocols/ssl/main.bro           |  27 ++++++++++++++++--
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |   4 +--
 .../ssl.log                                   |  10 +++++++
 .../Traces/tls-1.2-handshake-failure.trace    | Bin 0 -> 1131 bytes
 .../ssl/tls-1.2-handshake-failure.test        |   2 ++
 5 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
 create mode 100644 testing/btest/Traces/tls-1.2-handshake-failure.trace
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 3958a90fa2..b8a5fdd275 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -58,6 +58,14 @@ export {
 		## to each connection.  It is not used for logging since it's a
 		## meaningless arbitrary number.
 		analyzer_id:      count            &optional;
+
+		## Flag to indicate if this ssl session has been established
+		## succesfully, or if it was aborted during the handshake.
+		established:  bool &log &default=F;
+
+		## Flag to indicate if this record already has been logged, to
+		## prevent duplicates.
+		logged:  bool  &default=F;
 	};
 
 	## The default root CA bundle.  By default, the mozilla-ca-list.bro
@@ -127,9 +135,13 @@ function undelay_log(info: Info, token: string)
 
 function log_record(info: Info)
 	{
+	if ( info$logged )
+		return;
+
 	if ( ! info?$delay_tokens || |info$delay_tokens| == 0 )
 		{
 		Log::write(SSL::LOG, info);
+		info$logged = T;
 		}
 	else
 		{
@@ -151,6 +163,7 @@ function finish(c: connection)
 	log_record(c$ssl);
 	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
 		disable_analyzer(c$id, c$ssl$analyzer_id);
+		delete c$ssl$analyzer_id;
 	}
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
@@ -231,6 +244,7 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
 event ssl_established(c: connection) &priority=5
 	{
 	set_session(c);
+	c$ssl$established = T;
 	}
 
 event ssl_established(c: connection) &priority=-5
@@ -238,11 +252,20 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}
 
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ssl )
+		# called in case a SSL connection that has not been established terminates
+		finish(c);
+	}
+
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
-	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
+	if ( atype == Analyzer::ANALYZER_SSL ) 
+		{
+		set_session(c);
 		c$ssl$analyzer_id = aid;
+		}
 	}
 
 event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 280f3a2d32..a877514127 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -160,6 +160,8 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
+		else
+			bro_analyzer()->ProtocolConfirmation();
 
 		if ( ssl_client_hello )
 			{
@@ -198,8 +200,6 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
-		else
-			bro_analyzer()->ProtocolConfirmation();
 
 		if ( ssl_server_hello )
 			{
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
new file mode 100644
index 0000000000..92d7e3a1ab
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-03-04-21-57-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	-	-	-	handshake_failure	-	-	F
+#close	2014-03-04-21-57-58
diff --git a/testing/btest/Traces/tls-1.2-handshake-failure.trace b/testing/btest/Traces/tls-1.2-handshake-failure.trace
new file mode 100644
index 0000000000000000000000000000000000000000..aecda8cb9b8fd56f59293fa511346ce4eae43710
GIT binary patch
literal 1131
zcmaKqPiPZC6vn@q*{pHXYLc2XreK3oO)(;-D~b^sO@y{WpeTr<2Njf7#FKbYiQqv|
z!HSKDViZBEV3DF;st{WXMG&mi9t02m!Gel87!(AJ?`^O#+0catJF_#t_wDz+$<d)3
z5*q$J#UdbR@ha%wGWf=Y6uom{>8a^+Ck8_MI-Yksu?dJzZjU3b??0X!(E7WM<y$6v
zVmKM>InRgh%VP0l0+5>Hflx{l!fC{g{G8@*nk>=fZx^~~%~j%-dRX-J##3Omezb|n
z+(8Ua_}*owmQ#nm>)u<DGn*}XMw3qC_1IJ=)2Wlry7v%yBT>0*y3LMlto!@fD&2iV
zkEGq9X!{p(prkj?WF{W^<3fR8TsGpT<|j;SI$V<&2t_YGtR(uCz&$egj#77TKKjs-
zy}J8b>)Vgv(CsysFReK6BRKMT?T!oMUv~|z1iU$SPS5#ruAD#&lENuUx_b~VXbM8Y
zfQcyPp&koquMPpsr9D3y;e?JkSO6d8>wp&xbXh`SKHTtN3H?evLRh2=UFymq9MVBa
zX;M>4D5;bbQc6B81bcABTQ}pXEicm;vGQ76l~*Jg>`kQIGPCn#$pdmUMOo#Uc#Vji
zq=L&vj2WXAF<6rrkeT4)N}^9GNEv2uc6O=HEO4j_+-6Djkks)?FcXXa5p4rto=))q
z4E0wIKyQLZs*Of!ReS5q02J5&CN?yb?X(luy<nnftU)v_V%Sc6KPz!Vnu)*m)+BmJ
h<1#z3CtTKO3&=FaEFYVzd^E|&q!oENpsf^n;V%$oN+JLN

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
new file mode 100644
index 0000000000..9cceca70b1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log