At the moment, SSL connections where the ssl_established event does not fire are not logged.

That means that, for example, connections that are terminated with an alert during the handshake never appear in the ssl.log. This patch changes this behavior - now all ssl connections that fire any event are logged. The protocol confirmation of the ssl analyzer is moved to the client_hello instead to the server hello. Furthermore, an additional field is added to ssl.log, which indicates if a connection has been established or not (which probably indicates a handshake problem).
2025-10-04 07:38:19 +00:00 · 2014-03-04 13:58:58 -08:00 · 2014-03-04 13:58:58 -08:00 · ea1616bed5
commit ea1616bed5
parent d6d26a3ea7
5 changed files with 39 additions and 4 deletions
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -58,6 +58,14 @@ export {
 		## to each connection.  It is not used for logging since it's a
 		## meaningless arbitrary number.
 		analyzer_id:      count            &optional;
+
+		## Flag to indicate if this ssl session has been established
+		## succesfully, or if it was aborted during the handshake.
+		established:  bool &log &default=F;
+
+		## Flag to indicate if this record already has been logged, to
+		## prevent duplicates.
+		logged:  bool  &default=F;
 	};

 	## The default root CA bundle.  By default, the mozilla-ca-list.bro
@ -127,9 +135,13 @@ function undelay_log(info: Info, token: string)

 function log_record(info: Info)
 	{
+	if ( info$logged )
+		return;
+
 	if ( ! info?$delay_tokens || |info$delay_tokens| == 0 )
 		{
 		Log::write(SSL::LOG, info);
+		info$logged = T;
 		}
 	else
 		{
@ -151,6 +163,7 @@ function finish(c: connection)
 	log_record(c$ssl);
 	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
 		disable_analyzer(c$id, c$ssl$analyzer_id);
+		delete c$ssl$analyzer_id;
 	}

 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
@ -231,6 +244,7 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
 event ssl_established(c: connection) &priority=5
 	{
 	set_session(c);
+	c$ssl$established = T;
 	}

 event ssl_established(c: connection) &priority=-5
@ -238,12 +252,21 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}

+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ssl )
+		# called in case a SSL connection that has not been established terminates
+		finish(c);
+	}
+
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
-	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
+	if ( atype == Analyzer::ANALYZER_SSL ) 
+		{
+		set_session(c);
 		c$ssl$analyzer_id = aid;
 		}
+	}

 event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                         reason: string) &priority=5
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@ -160,6 +160,8 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
+		else
+			bro_analyzer()->ProtocolConfirmation();

 		if ( ssl_client_hello )
 			{
@ -198,8 +200,6 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
-		else
-			bro_analyzer()->ProtocolConfirmation();

 		if ( ssl_server_hello )
 			{
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-03-04-21-57-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	-	-	-	handshake_failure	-	-	F
+#close	2014-03-04-21-57-58
--- a/testing/btest/Traces/tls-1.2-handshake-failure.trace
+++ b/testing/btest/Traces/tls-1.2-handshake-failure.trace
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log