Move from using CCS (before: established) to just doing certificate
validation at the end of the connection.
This is (again) more robust in the case of aborted connection. I am
moving this into a hook because of the complexity of the
end-of-connection handling for SSL.
This should probably be extended to not just handle SSL validation, but
all other logging constructs that are currently called in _established.
The dpd signature missed a few cases that are used for TLS 1.3,
especially when draft versions (which are all that we are seeing at the
moment) are being negotiated.
This fix mostly allows draft versions in the server hello (identified by
7F[version]; since we do not know how many drafts there will be, we are
currently allowing a rather safe upper limit.
This commit add the table SSL::ct_logs to Bro. This table is populated
with information about the currently active certificate transparency
logs (data from Google). The data can, e.g., be used to identify which
Logs are being used in SCTs.
- This fixes BIT-1769 by logging all requests even in the absence of a
reply. The way that request and replying matching were being handled
was restructured to mostly ignore the transaction ids because they
aren't that helpful for network monitoring and it makes the script
structure more complicated.
- Add `framed_addr` field to the radius log to indicate if the radius
server is hinting at an address for the client.
- Add `ttl` field to indicate how quickly the radius server is replying
to the network access server.
- Fix a bunch of indentation inconsistencies.
Re-enable logging, now in policy because it probably is interesting to
no-one. We also only log ocsp replies.
Fix all tests.
Fix an issue where ocsp replies were added to the x.509 certificate
list.
This makes it much easier for protocols where the mime type is known in
advance like, for example, TLS. We now do no longer have to perform deep
script-level magic.
This event is the replacement for ssl_application_data, which is removed
in the same commit. It is more generic, containing more information than
ssl_application_dataand is raised for all SSL/TLS messages that are
exchanged before encryption starts.
It is used by Bro internally to determine when a TLS1.3 session has been
completely established. Apart from that, it can be used to, e.g.,
determine the record layer TLS version.
This change adds compression methods to the ssl_client_hello event. It
not being included was an oversight from a long time ago.
This change means that the signature of ssl_client_hello changes
slightly and scripts will have to be adjusted; since this is a commonly
used event, the impact of it might be higher than usually for event
changes.
Moved the definitions of DCE_RPC::BackingState and DCE_RPC::State types
into the export block. These types are used in the redef of the
"connection" record.
* origin/topic/seth/smb-auth-fixes:
Disable SMB2 error data parsing.
Removed some files that aren't being used.
Fix SMB tree connect handling.
Fix a small issue where DCE_RPC commands were improperly being logged.
SMB fixes and cleanup.
Including a test for raw NTLM in SMB
Updates for SMB auth handling from Martin van Hensbergen.
BIT-1721 #merged
SMB error handling improved. The analyzer isn't destroyed when a problem
is encoutered anymore. The flowbuffer in the parser is now flushed and
the analyzer is set to resync against an SMB command. This was needed
because there is some state about open files that is kept within the
parser itself which was being destroyed and that was causing analysis
after content gaps or parse errors to be faulty. The new mechanism
doesn't detroy the parser so parsing after gaps is improved.
DCE_RPC handling in SMB is improved in the edge case where a drive
mapping isn't seen. There is a new const named SMB::pipe_filenames
which is used as a heuristic for identifying "files" opened on named
pipe shares. If the share mapping type isn't known and a filename
in this set is found, the share type will change to "PIPE" by
generating an event named "smb_pipe_connect_heuristic". Reads and
writes to that file will be sent to the DCE_RPC analyzer instead of
to the files framework.
The concept of "unknown" share types has been removed due to the new
heuristic detection of share types.
Some general clean up of how the SMB cmd log is written and when.
- The logic for fragment handling has been rewritten and should be correct now.
- There are now tunables for fragment handling overflow situations.
- DCE_RPC::max_cmd_reassembly and DCE_RPC::max_frag_data
- They result in weirds and analyzer removal.
- Memory leak fixed by unique_ptr auto cleanup.
- DCE_RPC is now intolerate of content gaps and will stop
analyzing traffic if content gaps happen (like most other analyzers currently).
* origin/topic/vladg/bit-1641:
Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
Clean up the logic for ssh_auth_failed. Addresses BIT-1641
Update baselines for adding a field to ssh.log as part of BIT-1641
Script-land changes for BIT-1641.
Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
Revert "Fixing duplicate SSH authentication failure events."
Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.
I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).
Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.
BIT-1641 #merged
BIT-1727 #merged
* origin/topic/johanna/tls13:
Better way to deal with overloaded Assign constructors.
A few tabbing fixes in TLS 1.3 support
TLS 1.3 support.
- DCE_RPC fragmentation handling returns!
- Fixed some general parsing issues
- Fixed an issue with the DCE_RPC signature not working for IPv6 connections.
We could actually already see these in traffic with people that use and
enabled them in chrome canary / firefox nightly builds. This change
includes the re-naming of a few names that were never formalli assigned
yet.
