Add compression methods to ssl_client_hello event.

This change adds compression methods to the ssl_client_hello event. It not being included was an oversight from a long time ago. This change means that the signature of ssl_client_hello changes slightly and scripts will have to be adjusted; since this is a commonly used event, the impact of it might be higher than usually for event changes.
2025-10-02 14:48:21 +00:00 · 2017-02-03 11:48:55 -08:00 · 2017-02-03 11:48:55 -08:00 · f721c74bad
commit f721c74bad
parent 9db27a6d60
11 changed files with 43 additions and 13 deletions
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -177,7 +177,7 @@ function finish(c: connection, remove_analyzer: bool)
 		}
 	}

-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
 	{
 	set_session(c);

--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -24,10 +24,13 @@
 ##          standardized as part of the SSL/TLS protocol. The
 ##          :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
 ##
+## comp_methods: The list of compression methods that the client offered to use.
+##               This value is not sent in TLSv1.3 or SSLv2.
+##
 ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate ssl_handshake_message
 ##    ssl_change_cipher_spec
-event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%);
+event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);

 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
 ## start with an unencrypted handshake, and Bro extracts as much information out
@ -59,7 +62,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##
 ## comp_method: The compression method chosen by the client. The values are
 ##              standardized as part of the SSL/TLS protocol. This value is not
-##              sent in TLSv1.3.
+##              sent in TLSv1.3 or SSLv2.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
--- a/src/analyzer/protocol/ssl/proc-client-hello.pac
+++ b/src/analyzer/protocol/ssl/proc-client-hello.pac
@ -3,7 +3,8 @@
 					client_random : bytestring,
 					session_id : uint8[],
 					cipher_suites16 : uint16[],
-					cipher_suites24 : uint24[]) : bool
+					cipher_suites24 : uint24[],
+					compression_methods: uint8[]) : bool
 		%{
 		if ( ! version_ok(version) )
 			{
@ -28,11 +29,21 @@
 				cipher_vec->Assign(i, ciph);
 				}

+			VectorVal* comp_vec = new VectorVal(internal_type("index_vec")->AsVectorType());
+			if ( compression_methods )
+				{
+				for ( unsigned int i = 0; i < compression_methods->size(); ++i )
+					{
+					Val* comp = new Val((*compression_methods)[i], TYPE_COUNT);
+					comp_vec->Assign(i, comp);
+					}
+				}
+
 			BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
 							version, ts, new StringVal(client_random.length(),
 							(const char*) client_random.data()),
 							to_string_val(session_id),
-							cipher_vec);
+							cipher_vec, comp_vec);

 			delete cipher_suites;
 			}
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@ -38,7 +38,7 @@ refine typeattr V2Error += &let {

 refine typeattr V2ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(client_version, 0,
-				challenge, session_id, 0, ciphers);
+				challenge, session_id, 0, ciphers, 0);
 };

 refine typeattr V2ServerHello += &let {
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -257,7 +257,7 @@ refine connection Handshake_Conn += {
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(client_version,
 				gmt_unix_time, random_bytes,
-				session_id, csuits, 0);
+				session_id, csuits, 0, cmeths);
 };

 refine typeattr ServerHello += &let {
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.comp_methods/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.comp_methods/.stdout
@ -0,0 +1,2 @@
+[1, 0]
+0
--- a/testing/btest/scripts/base/protocols/ssl/comp_methods.test
+++ b/testing/btest/scripts/base/protocols/ssl/comp_methods.test
@ -0,0 +1,14 @@
+# This tests that the values sent for compression methods are correct.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+	{
+	print comp_methods;
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
+	{
+	print comp_method;
+	}
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@ -13,7 +13,7 @@ event bro_init()
 	print "Start test run";
 	}

-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
 	{
 	print "Client hello", c$id$orig_h, c$id$resp_h, version;
 	}
--- a/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
@ -3,7 +3,7 @@
 # @TEST-EXEC: touch dpd.log
 # @TEST-EXEC: btest-diff dpd.log

-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
 	{
 	print version, client_random, session_id, ciphers;
 	}
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test
@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) 
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
 	{
 	print fmt("Got %d cipher suites", |ciphers|);
 	for ( i in ciphers )
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) 
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
 	{
 	print client_random;
 	}