mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
e14eddeb97
This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
33 lines
1.1 KiB
Text
33 lines
1.1 KiB
Text
# This tests events not covered by other tests
|
|
|
|
# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
@load base/protocols/ssl
|
|
|
|
redef SSL::disable_analyzer_after_detection=F;
|
|
|
|
event ssl_established(c: connection)
|
|
{
|
|
print "Established", c$id$orig_h, c$id$resp_h;
|
|
}
|
|
|
|
event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count)
|
|
{
|
|
print "Handshake", c$id$orig_h, c$id$resp_h, is_client, msg_type, length;
|
|
}
|
|
|
|
event ssl_change_cipher_spec(c: connection, is_client: bool)
|
|
{
|
|
print "CCS", c$id$orig_h, c$id$resp_h, is_client;
|
|
}
|
|
|
|
event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
|
|
{
|
|
print "Plaintext data", c$id$orig_h, c$id$resp_h, is_client, SSL::version_strings[record_version], content_type, length;
|
|
}
|
|
|
|
event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
|
|
{
|
|
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_client, SSL::version_strings[record_version], content_type, length;
|
|
}
|