From fe4e06e8ca80e3bf98cc7f2dce9fb57495b0db49 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 19 Oct 2021 17:28:59 +0200 Subject: [PATCH] TLS decryption: remove payload from ssl_encrypted_data again. There is no reason to make the payload available in the event - it is still encrypted. --- scripts/policy/protocols/ssl/decryption.zeek | 2 +- scripts/policy/protocols/ssl/heartbleed.zeek | 2 +- src/analyzer/protocol/ssl/events.bif | 4 +--- src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac | 3 +-- .../scripts.policy.misc.dump-events/really-all-events.log | 2 -- .../btest/scripts/base/protocols/ssl/handshake-events.test | 2 +- testing/btest/scripts/base/protocols/ssl/tls13.test | 2 +- .../base/protocols/ssl/tls13_encrypted_handshake_events.test | 2 +- 8 files changed, 7 insertions(+), 12 deletions(-) diff --git a/scripts/policy/protocols/ssl/decryption.zeek b/scripts/policy/protocols/ssl/decryption.zeek index 766bb4d940..a8bb7e52e9 100644 --- a/scripts/policy/protocols/ssl/decryption.zeek +++ b/scripts/policy/protocols/ssl/decryption.zeek @@ -77,7 +77,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos } } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string) +event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) { if ( c$ssl?$client_random ) { diff --git a/scripts/policy/protocols/ssl/heartbleed.zeek b/scripts/policy/protocols/ssl/heartbleed.zeek index 40bc800b8c..aabafbff14 100644 --- a/scripts/policy/protocols/ssl/heartbleed.zeek +++ b/scripts/policy/protocols/ssl/heartbleed.zeek @@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) } } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string) +event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) { if ( !c?$ssl ) return; diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 9192babfdf..25bc34398b 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -558,11 +558,9 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c ## ## length: length of the entire message. ## -## payload: encrypted payload of the SSL/TLS message -## ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message -event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string%); +event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); ## This event is generated for application data records of TLS 1.3 connections of which ## we suspect that they contain handshake messages. diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index 8cb076ad6b..c3cc45e6ad 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -64,8 +64,7 @@ refine connection SSL_Conn += { if ( ssl_encrypted_data ) { zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(), - zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}, - zeek::make_intrusive(cont.length(), (const char*) cont.data())); + zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); if (rec->content_type() == APPLICATION_DATA) { zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.data(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()); diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log index a2360dbd29..3836b0306c 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log @@ -9079,7 +9079,6 @@ XXXXXXXXXX.XXXXXX ssl_encrypted_data [2] record_version: count = 771 [3] content_type: count = 22 [4] length: count = 32 - [5] payload: string = \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7 XXXXXXXXXX.XXXXXX raw_packet [0] p: raw_pkt_hdr = [l2=[encap=LINK_ETHERNET, len=91, cap_len=91, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=77, id=51331, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=, icmp=] @@ -9177,7 +9176,6 @@ XXXXXXXXXX.XXXXXX ssl_encrypted_data [2] record_version: count = 771 [3] content_type: count = 22 [4] length: count = 32 - [5] payload: string = Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09! XXXXXXXXXX.XXXXXX raw_packet [0] p: raw_pkt_hdr = [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=50807, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=, icmp=] diff --git a/testing/btest/scripts/base/protocols/ssl/handshake-events.test b/testing/btest/scripts/base/protocols/ssl/handshake-events.test index 0c694bfaa1..0b45bebc02 100644 --- a/testing/btest/scripts/base/protocols/ssl/handshake-events.test +++ b/testing/btest/scripts/base/protocols/ssl/handshake-events.test @@ -27,7 +27,7 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string) +event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) { print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; } diff --git a/testing/btest/scripts/base/protocols/ssl/tls13.test b/testing/btest/scripts/base/protocols/ssl/tls13.test index f1f03cd5df..875149ce80 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13.test @@ -37,7 +37,7 @@ event ssl_established(c: connection) print "established", c$id; } -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string) +event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) { print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; } diff --git a/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test b/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test index 08936cee56..3293315723 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test @@ -6,7 +6,7 @@ redef SSL::disable_analyzer_after_detection=F; -event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string) +event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) { print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; }