Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/scripts/base/protocols/ssl/prevent-disable-analyzer.test
Arne Welzel 26b1558cd1 analyzer: Move disabling_analyzer() hook into Analyzer module 
When disabling_analyzer() was introduced, it was added to the GLOBAL
module. The awkward side-effect is that implementing a hook handler
in another module requires to prefix it with GLOBAL. Alternatively, one
can re-open the GLOBAL module and implement the handler in that scope.

Both are not great, and prefixing with GLOBAL is ugly, so move the
identifier to the Analyzer module and ask users to prefix with Analyzer.
2023-01-23 12:22:05 +01:00

52 lines
1.7 KiB
Text
Raw Blame History

# @TEST-DOC: Implement disabling_analyzer hook to keep the SSL analyzer enabled for a bit longer.
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls1.2.trace %INPUT
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
# This is the default, but make it explicit.
redef SSL::disable_analyzer_after_detection = T;
redef record SSL::Info += {
encrypted_data: count &default=0;
};
# After how many ssl_encrypted_data events to disable the analyzer. The
# pcap triggers seven, the handshake is over after the first two.
global encrypted_data_wanted = 4;
# Prevent disabling the SSL analyzer for this connection until we've seen encrypted_data_wanted
# encrypted data events on it. Our ssl_encrypted_data event handler has the inverse condition.
hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
{
print "disabling_analyzer", c$id, atype, aid;
if ( atype != Analyzer::ANALYZER_SSL || ! c?$ssl )
return;
if ( c$ssl$encrypted_data < encrypted_data_wanted )
{
print "preventing disabling_analyzer", c$id, atype, aid;
break;
}
print "allowing disabling_analyzer", c$id, atype, aid;
}
event ssl_established(c: connection)
{
print "established", c$id;
}
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{
print "analyzer_confirmation", info$c$id, atype, info$aid;
}
event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{
++c$ssl$encrypted_data;
print "encrypted_data", c$id, is_client, content_type, length, c$ssl$encrypted_data;
if ( c$ssl?$analyzer_id && c$ssl$encrypted_data >= encrypted_data_wanted )
disable_analyzer(c$id, c$ssl$analyzer_id);
}
Reference in a new issue View git blame Copy permalink