mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 09:38:19 +00:00
385 lines
11 KiB
Text
385 lines
11 KiB
Text
##! Base SSL analysis script. This script logs information about the SSL/TLS
|
|
##! handshaking and encryption establishment process.
|
|
|
|
@load ./consts
|
|
|
|
module SSL;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
## A response from the ICSI certificate notary.
|
|
type NotaryResponse: record {
|
|
first_seen: count &log &optional;
|
|
last_seen: count &log &optional;
|
|
times_seen: count &log &optional;
|
|
valid: bool &log &optional;
|
|
};
|
|
|
|
type Info: record {
|
|
## Time when the SSL connection was first detected.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## SSL/TLS version that the server offered.
|
|
version: string &log &optional;
|
|
## SSL/TLS cipher suite that the server chose.
|
|
cipher: string &log &optional;
|
|
## Value of the Server Name Indicator SSL/TLS extension. It
|
|
## indicates the server name that the client was requesting.
|
|
server_name: string &log &optional;
|
|
## Session ID offered by the client for session resumption.
|
|
session_id: string &log &optional;
|
|
## Subject of the X.509 certificate offered by the server.
|
|
subject: string &log &optional;
|
|
## Subject of the signer of the X.509 certificate offered by the server.
|
|
issuer_subject: string &log &optional;
|
|
## NotValidBefore field value from the server certificate.
|
|
not_valid_before: time &log &optional;
|
|
## NotValidAfter field value from the server certificate.
|
|
not_valid_after: time &log &optional;
|
|
## Last alert that was seen during the connection.
|
|
last_alert: string &log &optional;
|
|
|
|
## Subject of the X.509 certificate offered by the client.
|
|
client_subject: string &log &optional;
|
|
## Subject of the signer of the X.509 certificate offered by the client.
|
|
client_issuer_subject: string &log &optional;
|
|
|
|
## Full binary server certificate stored in DER format.
|
|
cert: string &optional;
|
|
## Chain of certificates offered by the server to validate its
|
|
## complete signing chain.
|
|
cert_chain: vector of string &optional;
|
|
|
|
## Full binary client certificate stored in DER format.
|
|
client_cert: string &optional;
|
|
## Chain of certificates offered by the client to validate its
|
|
## complete signing chain.
|
|
client_cert_chain: vector of string &optional;
|
|
|
|
## The analyzer ID used for the analyzer instance attached
|
|
## to each connection. It is not used for logging since it's a
|
|
## meaningless arbitrary number.
|
|
analyzer_id: count &optional;
|
|
};
|
|
|
|
## The default root CA bundle. By loading the
|
|
## mozilla-ca-list.bro script it will be set to Mozilla's root CA list.
|
|
const root_certs: table[string] of string = {} &redef;
|
|
|
|
## If true, detach the SSL analyzer from the connection to prevent
|
|
## continuing to process encrypted traffic. Helps with performance
|
|
## (especially with large file transfers).
|
|
const disable_analyzer_after_detection = T &redef;
|
|
|
|
## The openssl command line utility. If it's in the path the default
|
|
## value will work, otherwise a full path string can be supplied for the
|
|
## utility.
|
|
const openssl_util = "openssl" &redef;
|
|
|
|
## Flag that determines whether to use the ICSI certificate notary to enhance
|
|
## the SSL log records.
|
|
const use_notary = T &redef;
|
|
|
|
## Event that can be handled to access the SSL
|
|
## record as it is sent on to the logging framework.
|
|
global log_ssl: event(rec: Info);
|
|
}
|
|
|
|
# TODO: Maybe wrap these in @ifdef's? Otherwise we carry the extra baggage
|
|
# around all the time.
|
|
redef record Info += {
|
|
sha1_digest: string &optional;
|
|
notary: NotaryResponse &log &optional;
|
|
};
|
|
|
|
redef record connection += {
|
|
ssl: Info &optional;
|
|
};
|
|
|
|
# The DNS cache of notary responses.
|
|
global notary_cache: table[string] of NotaryResponse &create_expire = 1 hr;
|
|
|
|
# The buffered SSL log records.
|
|
global records: table[string] of Info;
|
|
|
|
# The records that wait for a notary response identified by the cert digest.
|
|
# Each digest refers to a list of connection UIDs which are updated when a DNS
|
|
# reply arrives asynchronously.
|
|
global waiting: table[string] of vector of string;
|
|
|
|
# A double-ended queue that determines the log record order in which logs have
|
|
# to written out to disk.
|
|
global deque: table[count] of string;
|
|
|
|
# The top-most deque index.
|
|
global head = 0;
|
|
|
|
# The bottom deque index that points to the next record to be flushed as soon
|
|
# as the notary response arrives.
|
|
global tail = 0;
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
|
|
}
|
|
|
|
redef capture_filters += {
|
|
["ssl"] = "tcp port 443",
|
|
["nntps"] = "tcp port 563",
|
|
["imap4-ssl"] = "tcp port 585",
|
|
["sshell"] = "tcp port 614",
|
|
["ldaps"] = "tcp port 636",
|
|
["ftps-data"] = "tcp port 989",
|
|
["ftps"] = "tcp port 990",
|
|
["telnets"] = "tcp port 992",
|
|
["imaps"] = "tcp port 993",
|
|
["ircs"] = "tcp port 994",
|
|
["pop3s"] = "tcp port 995",
|
|
["xmpps"] = "tcp port 5223",
|
|
};
|
|
|
|
const ports = {
|
|
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
|
|
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
|
|
};
|
|
|
|
redef dpd_config += {
|
|
[[ANALYZER_SSL]] = [$ports = ports]
|
|
};
|
|
|
|
redef likely_server_ports += {
|
|
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
|
|
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
|
|
};
|
|
|
|
function set_session(c: connection)
|
|
{
|
|
if ( ! c?$ssl )
|
|
c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector(),
|
|
$client_cert_chain=vector()];
|
|
}
|
|
|
|
function clear_waitlist(digest: string)
|
|
{
|
|
if ( digest in waiting )
|
|
{
|
|
for ( i in waiting[digest] )
|
|
{
|
|
local uid = waiting[digest][i];
|
|
records[uid]$notary = [];
|
|
}
|
|
delete waiting[digest];
|
|
}
|
|
}
|
|
|
|
function lookup_cert_hash(uid: string, digest: string)
|
|
{
|
|
# Add the record ID to the list of waiting IDs for this digest.
|
|
local waits_already = digest in waiting;
|
|
if ( ! waits_already )
|
|
waiting[digest] = vector();
|
|
waiting[digest][|waiting[digest]|] = uid;
|
|
if ( waits_already )
|
|
return;
|
|
|
|
local domain = "%s.notary.icsi.berkeley.edu";
|
|
when ( local str = lookup_hostname_txt(fmt(domain, digest)) )
|
|
{
|
|
# Cache every response for a digest.
|
|
# TODO: should we ignore failing answers?
|
|
notary_cache[digest] = [];
|
|
|
|
# Parse notary answer.
|
|
if ( str == "<???>" )
|
|
{
|
|
# TODO: Should we handle NXDOMAIN separately?
|
|
clear_waitlist(digest);
|
|
return;
|
|
}
|
|
local fields = split(str, / /);
|
|
if ( |fields| != 5 ) # version 1 has 5 fields.
|
|
{
|
|
clear_waitlist(digest);
|
|
return;
|
|
}
|
|
local version = split(fields[1], /=/)[2];
|
|
if ( version != "1" )
|
|
{
|
|
clear_waitlist(digest);
|
|
return;
|
|
}
|
|
local r = notary_cache[digest];
|
|
r$first_seen = to_count(split(fields[2], /=/)[2]);
|
|
r$last_seen = to_count(split(fields[3], /=/)[2]);
|
|
r$times_seen = to_count(split(fields[4], /=/)[2]);
|
|
r$valid = split(fields[5], /=/)[2] == "1";
|
|
|
|
# Assign notary answer to all waiting records.
|
|
if ( digest in waiting )
|
|
{
|
|
for ( i in waiting[digest] )
|
|
records[waiting[digest][i]]$notary = r;
|
|
delete waiting[digest];
|
|
}
|
|
|
|
# Flush all records up to the record which still awaits an answer.
|
|
local current: string;
|
|
for ( unused_index in deque )
|
|
{
|
|
current = deque[tail];
|
|
local info = records[current];
|
|
if ( ! info?$notary )
|
|
break;
|
|
Log::write(SSL::LOG, info);
|
|
delete deque[tail];
|
|
delete records[current];
|
|
++tail;
|
|
}
|
|
}
|
|
}
|
|
|
|
function finish(c: connection)
|
|
{
|
|
if ( use_notary && c$ssl?$sha1_digest)
|
|
{
|
|
local digest = c$ssl$sha1_digest;
|
|
if ( c$ssl$sha1_digest in notary_cache )
|
|
c$ssl$notary = notary_cache[digest];
|
|
else
|
|
lookup_cert_hash(c$uid, digest);
|
|
records[c$uid] = c$ssl; # Copy the record.
|
|
deque[head] = c$uid;
|
|
++head;
|
|
}
|
|
else
|
|
{
|
|
Log::write(SSL::LOG, c$ssl);
|
|
}
|
|
|
|
if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
|
|
disable_analyzer(c$id, c$ssl$analyzer_id);
|
|
delete c$ssl;
|
|
}
|
|
|
|
event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
# Save the session_id if there is one set.
|
|
if ( session_id != /^\x00{32}$/ )
|
|
c$ssl$session_id = bytestring_to_hexstr(session_id);
|
|
}
|
|
|
|
event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
c$ssl$version = version_strings[version];
|
|
c$ssl$cipher = cipher_desc[cipher];
|
|
}
|
|
|
|
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
# We aren't doing anything with client certificates yet.
|
|
if ( is_orig )
|
|
{
|
|
if ( chain_idx == 0 )
|
|
{
|
|
# Save the primary cert.
|
|
c$ssl$client_cert = der_cert;
|
|
|
|
# Also save other certificate information about the primary cert.
|
|
c$ssl$client_subject = cert$subject;
|
|
c$ssl$client_issuer_subject = cert$issuer;
|
|
}
|
|
else
|
|
{
|
|
# Otherwise, add it to the cert validation chain.
|
|
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = der_cert;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if ( chain_idx == 0 )
|
|
{
|
|
# Save the primary cert.
|
|
c$ssl$cert = der_cert;
|
|
|
|
# Also save other certificate information about the primary cert.
|
|
c$ssl$subject = cert$subject;
|
|
c$ssl$issuer_subject = cert$issuer;
|
|
c$ssl$not_valid_before = cert$not_valid_before;
|
|
c$ssl$not_valid_after = cert$not_valid_after;
|
|
|
|
if ( use_notary )
|
|
c$ssl$sha1_digest = sha1_hash(der_cert);
|
|
}
|
|
else
|
|
{
|
|
# Otherwise, add it to the cert validation chain.
|
|
c$ssl$cert_chain[|c$ssl$cert_chain|] = der_cert;
|
|
}
|
|
}
|
|
}
|
|
|
|
event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( is_orig && extensions[code] == "server_name" )
|
|
c$ssl$server_name = sub_bytes(val, 6, |val|);
|
|
}
|
|
|
|
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
c$ssl$last_alert = alert_descriptions[desc];
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=5
|
|
{
|
|
set_session(c);
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=-5
|
|
{
|
|
finish(c);
|
|
}
|
|
|
|
event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
|
|
{
|
|
# Check by checking for existence of c$ssl record.
|
|
if ( c?$ssl && analyzer_name(atype) == "SSL" )
|
|
c$ssl$analyzer_id = aid;
|
|
}
|
|
|
|
event protocol_violation(c: connection, atype: count, aid: count,
|
|
reason: string) &priority=5
|
|
{
|
|
if ( c?$ssl )
|
|
finish(c);
|
|
}
|
|
|
|
event bro_done()
|
|
{
|
|
if ( ! use_notary || |deque| == 0 )
|
|
return;
|
|
|
|
local current: string;
|
|
for ( unused_index in deque )
|
|
{
|
|
current = deque[tail];
|
|
local info = records[current];
|
|
Log::write(SSL::LOG, info);
|
|
delete deque[tail];
|
|
delete records[current];
|
|
++tail;
|
|
}
|
|
}
|