mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
f6615753f1
The previous fix also made it clear that the ssl_history field may grow unbounded via the ssl_alert event. Prevent by capping using a configurable limit (default 100) and raise a weird once reached.
546 lines
16 KiB
Text
546 lines
16 KiB
Text
##! Base SSL analysis script. This script logs information about the SSL/TLS
|
|
##! handshaking and encryption establishment process.
|
|
|
|
@load base/frameworks/notice/weird
|
|
@load ./consts
|
|
@load base/protocols/conn/removal-hooks
|
|
|
|
module SSL;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
global log_policy: Log::PolicyHook;
|
|
|
|
## The record type which contains the fields of the SSL log.
|
|
type Info: record {
|
|
## Time when the SSL connection was first detected.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## Numeric SSL/TLS version that the server chose.
|
|
version_num: count &optional;
|
|
## SSL/TLS version that the server chose.
|
|
version: string &log &optional;
|
|
## SSL/TLS cipher suite that the server chose.
|
|
cipher: string &log &optional;
|
|
## Elliptic curve the server chose when using ECDH/ECDHE.
|
|
curve: string &log &optional;
|
|
## Value of the Server Name Indicator SSL/TLS extension. It
|
|
## indicates the server name that the client was requesting.
|
|
server_name: string &log &optional;
|
|
## Session ID offered by the client for session resumption.
|
|
## Not used for logging.
|
|
session_id: string &optional;
|
|
## Flag to indicate if the session was resumed reusing
|
|
## the key material exchanged in an earlier connection.
|
|
resumed: bool &log &default=F;
|
|
## Flag to indicate if we saw a non-empty session ticket being
|
|
## sent by the client using an empty session ID. This value
|
|
## is used to determine if a session is being resumed. It's
|
|
## not logged.
|
|
client_ticket_empty_session_seen: bool &default=F;
|
|
## Flag to indicate if we saw a client key exchange message sent
|
|
## by the client. This value is used to determine if a session
|
|
## is being resumed. It's not logged.
|
|
client_key_exchange_seen: bool &default=F;
|
|
## Track if the client sent a pre-shared-key extension.
|
|
## Used to determine if a TLS 1.3 session is being resumed.
|
|
## Not logged.
|
|
client_psk_seen: bool &default=F;
|
|
|
|
## Last alert that was seen during the connection.
|
|
last_alert: string &log &optional;
|
|
## Next protocol the server chose using the application layer
|
|
## next protocol extension, if present.
|
|
next_protocol: string &log &optional;
|
|
|
|
## The analyzer ID used for the analyzer instance attached
|
|
## to each connection. It is not used for logging since it's a
|
|
## meaningless arbitrary number.
|
|
analyzer_id: count &optional;
|
|
|
|
## Flag to indicate if this ssl session has been established
|
|
## successfully, or if it was aborted during the handshake.
|
|
established: bool &log &default=F;
|
|
## Flag to indicate if this record already has been logged, to
|
|
## prevent duplicates.
|
|
logged: bool &default=F;
|
|
## Flag to indicate that we have seen a Hello Retry request message.
|
|
## Used internally for ssl_history logging
|
|
hrr_seen: bool &default=F;
|
|
|
|
## SSL history showing which types of packets we received in which order.
|
|
## Letters have the following meaning with client-sent letters being capitalized:
|
|
##
|
|
## A direction flip occurs when the client hello packet is not sent from the originator
|
|
## of a connection. This can, e.g., occur when DTLS is used in a connection that was
|
|
## set up using STUN.
|
|
##
|
|
## ====== ====================================================
|
|
## Letter Meaning
|
|
## ====== ====================================================
|
|
## ^ direction flipped
|
|
## H hello_request
|
|
## C client_hello
|
|
## S server_hello
|
|
## V hello_verify_request
|
|
## T NewSessionTicket
|
|
## X certificate
|
|
## K server_key_exchange
|
|
## R certificate_request
|
|
## N server_hello_done
|
|
## Y certificate_verify
|
|
## G client_key_exchange
|
|
## F finished
|
|
## W certificate_url
|
|
## U certificate_status
|
|
## A supplemental_data
|
|
## Z unassigned_handshake_type
|
|
## I change_cipher_spec
|
|
## B heartbeat
|
|
## D application_data
|
|
## E end_of_early_data
|
|
## O encrypted_extensions
|
|
## P key_update
|
|
## M message_hash
|
|
## J hello_retry_request
|
|
## L alert
|
|
## Q unknown_content_type
|
|
## ====== ====================================================
|
|
##
|
|
ssl_history: string &log &default="";
|
|
};
|
|
|
|
## The default root CA bundle. By default, the mozilla-ca-list.zeek
|
|
## script sets this to Mozilla's root CA list.
|
|
const root_certs: table[string] of string &redef;
|
|
|
|
## The record type which contains the field for the Certificate
|
|
## Transparency log bundle.
|
|
type CTInfo: record {
|
|
## Description of the Log
|
|
description: string;
|
|
## Operator of the Log
|
|
operator: string;
|
|
## Public key of the Log.
|
|
key: string;
|
|
## Maximum merge delay of the Log
|
|
maximum_merge_delay: count;
|
|
## URL of the Log
|
|
url: string;
|
|
};
|
|
|
|
## The Certificate Transparency log bundle. By default, the ct-list.zeek
|
|
## script sets this to the current list of known logs. Entries
|
|
## are indexed by (binary) log-id.
|
|
option ct_logs: table[string] of CTInfo = {};
|
|
|
|
## If true, detach the SSL analyzer from the connection to prevent
|
|
## continuing to process encrypted traffic. Helps with performance
|
|
## (especially with large file transfers).
|
|
option disable_analyzer_after_detection = T;
|
|
|
|
## Maximum length of the ssl_history field to prevent unbounded
|
|
## growth when the parser is running into unexpected situations.
|
|
option max_ssl_history_length = 100;
|
|
|
|
## Delays an SSL record for a specific token: the record will not be
|
|
## logged as long as the token exists or until 15 seconds elapses.
|
|
global delay_log: function(info: Info, token: string);
|
|
|
|
## Undelays an SSL record for a previously inserted token, allowing the
|
|
## record to be logged.
|
|
global undelay_log: function(info: Info, token: string);
|
|
|
|
## Event that can be handled to access the SSL
|
|
## record as it is sent on to the logging framework.
|
|
global log_ssl: event(rec: Info);
|
|
|
|
## Hook that can be used to perform actions right before the log record
|
|
## is written.
|
|
global ssl_finishing: hook(c: connection);
|
|
|
|
## SSL finalization hook. Remaining SSL info may get logged when it's called.
|
|
## The :zeek:see:`SSL::ssl_finishing` hook may either
|
|
## be called before this finalization hook for established SSL connections
|
|
## or during this finalization hook for SSL connections may have info still
|
|
## left to log.
|
|
global finalize_ssl: Conn::RemovalHook;
|
|
}
|
|
|
|
redef record connection += {
|
|
ssl: Info &optional;
|
|
};
|
|
|
|
redef record Info += {
|
|
# Adding a string "token" to this set will cause the SSL script
|
|
# to delay logging the record until either the token has been removed or
|
|
# the record has been delayed.
|
|
delay_tokens: set[string] &optional;
|
|
};
|
|
|
|
const ssl_ports = {
|
|
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
|
|
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
|
|
};
|
|
|
|
# There are no well known DTLS ports at the moment. Let's
|
|
# just add 443 for now for good measure - who knows :)
|
|
const dtls_ports = { 443/udp };
|
|
|
|
redef likely_server_ports += { ssl_ports, dtls_ports };
|
|
|
|
# Priority needs to be higher than priority of zeek_init in ssl/files.zeek
|
|
event zeek_init() &priority=6
|
|
{
|
|
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
|
|
}
|
|
|
|
function set_session(c: connection)
|
|
{
|
|
if ( ! c?$ssl )
|
|
{
|
|
c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id];
|
|
Conn::register_removal_hook(c, finalize_ssl);
|
|
}
|
|
}
|
|
|
|
function add_to_history(c: connection, is_client: bool, char: string)
|
|
{
|
|
if ( |c$ssl$ssl_history| == max_ssl_history_length )
|
|
return;
|
|
|
|
if ( is_client )
|
|
c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char);
|
|
else
|
|
c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char);
|
|
|
|
if ( |c$ssl$ssl_history| == max_ssl_history_length )
|
|
Reporter::conn_weird("SSL_max_ssl_history_length_reached", c);
|
|
}
|
|
|
|
function delay_log(info: Info, token: string)
|
|
{
|
|
if ( ! info?$delay_tokens )
|
|
info$delay_tokens = set();
|
|
add info$delay_tokens[token];
|
|
}
|
|
|
|
function undelay_log(info: Info, token: string)
|
|
{
|
|
if ( info?$delay_tokens && token in info$delay_tokens )
|
|
delete info$delay_tokens[token];
|
|
}
|
|
|
|
function log_record(info: Info)
|
|
{
|
|
if ( info$logged )
|
|
return;
|
|
|
|
if ( ! info?$delay_tokens || |info$delay_tokens| == 0 )
|
|
{
|
|
Log::write(SSL::LOG, info);
|
|
info$logged = T;
|
|
}
|
|
else
|
|
{
|
|
when [info] ( |info$delay_tokens| == 0 )
|
|
{
|
|
log_record(info);
|
|
}
|
|
timeout 15secs
|
|
{
|
|
# We are just going to log the record anyway.
|
|
delete info$delay_tokens;
|
|
log_record(info);
|
|
}
|
|
}
|
|
}
|
|
|
|
# remove_analyzer flag is used to prevent disabling analyzer for finished
|
|
# connections.
|
|
function finish(c: connection, remove_analyzer: bool)
|
|
{
|
|
log_record(c$ssl);
|
|
if ( remove_analyzer && disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
|
|
if ( disable_analyzer(c$id, c$ssl$analyzer_id) )
|
|
delete c$ssl$analyzer_id;
|
|
}
|
|
|
|
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
# Save the session_id if there is one set.
|
|
if ( |session_id| > 0 && session_id != /^\x00{32}$/ )
|
|
{
|
|
c$ssl$session_id = bytestring_to_hexstr(session_id);
|
|
c$ssl$client_ticket_empty_session_seen = F;
|
|
}
|
|
}
|
|
|
|
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
# If it is already filled, we saw a supported_versions extensions which overrides this.
|
|
if ( ! c$ssl?$version_num )
|
|
{
|
|
c$ssl$version_num = version;
|
|
c$ssl$version = version_strings[version];
|
|
}
|
|
c$ssl$cipher = cipher_desc[cipher];
|
|
|
|
# Check if this is a hello retry request. A magic value in the random is used to signal this
|
|
if ( server_random == "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" )
|
|
c$ssl$hrr_seen = T;
|
|
|
|
if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
|
|
c$ssl$resumed = T;
|
|
}
|
|
|
|
event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
|
|
{
|
|
if ( is_client || |versions| != 1 )
|
|
return;
|
|
|
|
set_session(c);
|
|
|
|
c$ssl$version_num = versions[0];
|
|
c$ssl$version = version_strings[versions[0]];
|
|
}
|
|
|
|
event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
c$ssl$curve = ec_curves[curve];
|
|
}
|
|
|
|
event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
|
|
{
|
|
if ( is_client || |curves| != 1 )
|
|
return;
|
|
|
|
set_session(c);
|
|
c$ssl$curve = ec_curves[curves[0]];
|
|
}
|
|
|
|
event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( is_client && |names| > 0 )
|
|
{
|
|
c$ssl$server_name = names[0];
|
|
if ( |names| > 1 )
|
|
Reporter::conn_weird("SSL_many_server_names", c, cat(names));
|
|
}
|
|
}
|
|
|
|
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec)
|
|
{
|
|
set_session(c);
|
|
|
|
if ( is_client )
|
|
return;
|
|
|
|
if ( |protocols| > 0 )
|
|
c$ssl$next_protocol = protocols[0];
|
|
}
|
|
|
|
event ssl_connection_flipped(c: connection)
|
|
{
|
|
set_session(c);
|
|
|
|
c$ssl$ssl_history += "^";
|
|
}
|
|
|
|
event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( is_client && msg_type == SSL::CLIENT_KEY_EXCHANGE )
|
|
c$ssl$client_key_exchange_seen = T;
|
|
|
|
switch ( msg_type )
|
|
{
|
|
case SSL::HELLO_REQUEST:
|
|
add_to_history(c, is_client, "h");
|
|
break;
|
|
case SSL::CLIENT_HELLO:
|
|
add_to_history(c, is_client, "c");
|
|
break;
|
|
case SSL::SERVER_HELLO:
|
|
if ( c$ssl$hrr_seen )
|
|
{
|
|
# the server_hello event is raised first, and sets the flag
|
|
add_to_history(c, is_client, "j");
|
|
c$ssl$hrr_seen = F;
|
|
}
|
|
else
|
|
add_to_history(c, is_client, "s");
|
|
break;
|
|
case SSL::HELLO_VERIFY_REQUEST:
|
|
add_to_history(c, is_client, "v");
|
|
break;
|
|
case SSL::SESSION_TICKET:
|
|
add_to_history(c, is_client, "t");
|
|
break;
|
|
# end of early data
|
|
case 5:
|
|
add_to_history(c, is_client, "e");
|
|
break;
|
|
case SSL::HELLO_RETRY_REQUEST:
|
|
add_to_history(c, is_client, "j");
|
|
break;
|
|
case SSL::ENCRYPTED_EXTENSIONS:
|
|
add_to_history(c, is_client, "o");
|
|
break;
|
|
case SSL::CERTIFICATE:
|
|
add_to_history(c, is_client, "x");
|
|
break;
|
|
case SSL::SERVER_KEY_EXCHANGE:
|
|
add_to_history(c, is_client, "k");
|
|
break;
|
|
case SSL::CERTIFICATE_REQUEST:
|
|
add_to_history(c, is_client, "r");
|
|
break;
|
|
case SSL::SERVER_HELLO_DONE:
|
|
add_to_history(c, is_client, "n");
|
|
break;
|
|
case SSL::CERTIFICATE_VERIFY:
|
|
add_to_history(c, is_client, "y");
|
|
break;
|
|
case SSL::CLIENT_KEY_EXCHANGE:
|
|
add_to_history(c, is_client, "g");
|
|
break;
|
|
case SSL::FINISHED:
|
|
add_to_history(c, is_client, "f");
|
|
break;
|
|
case SSL::CERTIFICATE_URL:
|
|
add_to_history(c, is_client, "w");
|
|
break;
|
|
case SSL::CERTIFICATE_STATUS:
|
|
add_to_history(c, is_client, "u");
|
|
break;
|
|
case SSL::SUPPLEMENTAL_DATA:
|
|
add_to_history(c, is_client, "a");
|
|
break;
|
|
case SSL::KEY_UPDATE:
|
|
add_to_history(c, is_client, "p");
|
|
break;
|
|
# message hash
|
|
case 254:
|
|
add_to_history(c, is_client, "m");
|
|
break;
|
|
default:
|
|
add_to_history(c, is_client, "z");
|
|
break;
|
|
}
|
|
}
|
|
|
|
# Extension event is fired _before_ the respective client or server hello.
|
|
# Important for client_ticket_empty_session_seen.
|
|
event ssl_extension(c: connection, is_client: bool, code: count, val: string) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( is_client && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 )
|
|
# In this case, we might have an empty ID. Set back to F in client_hello event
|
|
# if it is not empty after all.
|
|
c$ssl$client_ticket_empty_session_seen = T;
|
|
else if ( is_client && code == SSL_EXTENSION_PRE_SHARED_KEY )
|
|
# In this case, the client sent a PSK extension which can be used for resumption
|
|
c$ssl$client_psk_seen = T;
|
|
else if ( ! is_client && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen )
|
|
# In this case, the server accepted the PSK offered by the client.
|
|
c$ssl$resumed = T;
|
|
}
|
|
|
|
event ssl_change_cipher_spec(c: connection, is_client: bool) &priority=5
|
|
{
|
|
set_session(c);
|
|
add_to_history(c, is_client, "i");
|
|
|
|
if ( is_client && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen )
|
|
c$ssl$resumed = T;
|
|
}
|
|
|
|
event ssl_alert(c: connection, is_client: bool, level: count, desc: count) &priority=5
|
|
{
|
|
set_session(c);
|
|
add_to_history(c, is_client, "l");
|
|
|
|
c$ssl$last_alert = alert_descriptions[desc];
|
|
}
|
|
|
|
event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
|
|
{
|
|
set_session(c);
|
|
add_to_history(c, is_client, "b");
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=7
|
|
{
|
|
c$ssl$established = T;
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=20
|
|
{
|
|
set_session(c);
|
|
hook ssl_finishing(c);
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=-5
|
|
{
|
|
finish(c, T);
|
|
}
|
|
|
|
hook finalize_ssl(c: connection)
|
|
{
|
|
if ( ! c?$ssl )
|
|
return;
|
|
|
|
if ( ! c$ssl$logged )
|
|
hook ssl_finishing(c);
|
|
|
|
# called in case a SSL connection that has not been established terminates
|
|
finish(c, F);
|
|
}
|
|
|
|
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=5
|
|
{
|
|
if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
|
|
{
|
|
set_session(info$c);
|
|
info$c$ssl$analyzer_id = info$aid;
|
|
}
|
|
}
|
|
|
|
event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
|
|
return;
|
|
|
|
local wi = Weird::Info($ts=network_time(), $name="ssl_early_application_data", $uid=c$uid, $id=c$id);
|
|
Weird::weird(wi);
|
|
}
|
|
|
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
|
|
{
|
|
if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
|
|
if ( info$c?$ssl )
|
|
{
|
|
# analyzer errored out; prevent us from trying to remove it later
|
|
delete info$c$ssl$analyzer_id;
|
|
finish(info$c, F);
|
|
}
|
|
}
|