Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

At the moment, SSL connections where the ssl_established event does not fire are not logged.

Browse source 
That means that, for example, connections that are terminated with an alert during the
handshake never appear in the ssl.log.

This patch changes this behavior - now all ssl connections that fire any event are logged.

The protocol confirmation of the ssl analyzer is moved to the client_hello instead to
the server hello. Furthermore, an additional field is added to ssl.log, which indicates
if a connection has been established or not (which probably indicates a handshake problem).
This commit is contained in:
Bernhard Amann 2014-03-04 13:58:58 -08:00
parent d6d26a3ea7
commit ea1616bed5
5 changed files with 39 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

27
scripts/base/protocols/ssl/main.bro
View file

@ -58,6 +58,14 @@ export {
## to each connection. It is not used for logging since it's a ## to each connection. It is not used for logging since it's a
## meaningless arbitrary number. ## meaningless arbitrary number.
analyzer_id: count &optional; analyzer_id: count &optional;
## Flag to indicate if this ssl session has been established
## succesfully, or if it was aborted during the handshake.
established: bool &log &default=F;
## Flag to indicate if this record already has been logged, to
## prevent duplicates.
logged: bool &default=F;
}; };
## The default root CA bundle. By default, the mozilla-ca-list.bro ## The default root CA bundle. By default, the mozilla-ca-list.bro
@ -127,9 +135,13 @@ function undelay_log(info: Info, token: string)
function log_record(info: Info) function log_record(info: Info)
{ {
if ( info$logged )
return;
if ( ! info?$delay_tokens || |info$delay_tokens| == 0 ) if ( ! info?$delay_tokens || |info$delay_tokens| == 0 )
{ {
Log::write(SSL::LOG, info); Log::write(SSL::LOG, info);
info$logged = T;
} }
else else
{ {
@ -151,6 +163,7 @@ function finish(c: connection)
log_record(c$ssl); log_record(c$ssl);
if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id ) if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
disable_analyzer(c$id, c$ssl$analyzer_id); disable_analyzer(c$id, c$ssl$analyzer_id);
delete c$ssl$analyzer_id;
} }
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
@ -231,6 +244,7 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
event ssl_established(c: connection) &priority=5 event ssl_established(c: connection) &priority=5
{ {
set_session(c); set_session(c);
c$ssl$established = T;
} }
event ssl_established(c: connection) &priority=-5 event ssl_established(c: connection) &priority=-5
@ -238,11 +252,20 @@ event ssl_established(c: connection) &priority=-5
finish(c); finish(c);
} }
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$ssl )
# called in case a SSL connection that has not been established terminates
finish(c);
}
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
{ {
# Check by checking for existence of c$ssl record. if ( atype == Analyzer::ANALYZER_SSL )
if ( c?$ssl && atype == Analyzer::ANALYZER_SSL ) {
set_session(c);
c$ssl$analyzer_id = aid; c$ssl$analyzer_id = aid;
}
} }
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,

4
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -160,6 +160,8 @@ refine connection SSL_Conn += {
%{ %{
if ( ! version_ok(version) ) if ( ! version_ok(version) )
bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version)); bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
else
bro_analyzer()->ProtocolConfirmation();
if ( ssl_client_hello ) if ( ssl_client_hello )
{ {
@ -198,8 +200,6 @@ refine connection SSL_Conn += {
%{ %{
if ( ! version_ok(version) ) if ( ! version_ok(version) )
bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version)); bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
else
bro_analyzer()->ProtocolConfirmation();
if ( ssl_server_hello ) if ( ssl_server_hello )
{ {

10
testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2014-03-04-21-57-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject established
#types time string addr port addr port string string string string string string time time string string string bool
1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - - - - - handshake_failure - - F
#close 2014-03-04-21-57-58

BIN
testing/btest/Traces/tls-1.2-handshake-failure.trace Normal file
View file

Binary file not shown.

2
testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test Normal file
View file

@ -0,0 +1,2 @@
# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
# @TEST-EXEC: btest-diff ssl.log