Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add DH support to SSL analyzer.

Browse source 
When using DHE or DH-Anon, sever key parameters are now available
in scriptland.

Also add script to alert on weak certificate keys or weak dh-params.
This commit is contained in:
Bernhard Amann 2014-04-26 23:48:47 -07:00
parent b1a2bccdc7
commit fb56b22cff
12 changed files with 288 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout Normal file
View file

@ -0,0 +1 @@
key length in bits, 1024

10
testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2014-04-27-00-52-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string
1398558136.319509 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - -
#close 2014-04-27-00-52-03

8
testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path ssl
#open 2014-04-26-16-45-23
#open 2014-04-27-06-48-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string
1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
#close 2014-04-26-16-45-23
1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
#close 2014-04-27-06-48-05

12
testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2014-04-27-06-41-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
1398558136.542637 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
#close 2014-04-27-06-41-50

BIN
testing/btest/Traces/tls/dhe.pcap Normal file
View file

Binary file not shown.

8
testing/btest/scripts/base/protocols/ssl/dhe.test Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: btest-diff ssl.log
event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
{
print "key length in bits", |Ys|*8;
}

8
testing/btest/scripts/policy/protocols/ssl/weak-keys.bro Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
# @TEST-EXEC: mv notice.log notice-1.log
# @TEST-EXEC: btest-diff notice-1.log
@load protocols/ssl/weak-keys
redef SSL::notify_weak_keys = ALL_HOSTS;
redef SSL::notify_minimal_key_length = 4096;