Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/policy/protocols/ssl/ssl-log-ext.zeek
Johanna Amann 46e54bab76 Fix ssl-log-ext omitting data in some cases 
ssl-log-ext had a bug that caused data present in the SSL connection to
not be logged in some cases. Specifically, the script relied on the base
ssl script to initialize some data structures; however, this means that
protocol messages that arrive before a message is handled by the base
ssl script are not logged.

This commit changes the ssl-log-ext script to also initialize the data
structures; now messages are correctly included in the log in all cases.
2024-01-11 17:12:33 +00:00

178 lines
4.9 KiB
Text
Raw Blame History

##! This file adds a lot of additional information to the SSL log
##! It is not loaded by default since the information significantly expands
##! the log and is probably not interesting for a majority of people.
@load base/protocols/ssl
module SSL;
redef record SSL::Info += {
## Numeric version of the server in the server hello
server_version: count &log &optional;
## Numeric version of the client in the client hello
client_version: count &log &optional;
## Ciphers that were offered by the client for the connection
client_ciphers: vector of count &log &optional;
## SSL Client extensions
ssl_client_exts: vector of count &log &optional;
## SSL server extensions
ssl_server_exts: vector of count &log &optional;
## Suggested ticket lifetime sent in the session ticket handshake
## by the server.
ticket_lifetime_hint: count &log &optional;
## The diffie helman parameter size, when using DH.
dh_param_size: count &log &optional;
## supported elliptic curve point formats
point_formats: vector of count &log &optional;
## The curves supported by the client.
client_curves: vector of count &log &optional;
## Application layer protocol negotiation extension sent by the client.
orig_alpn: vector of string &log &optional;
## TLS 1.3 supported versions
client_supported_versions: vector of count &log &optional;
## TLS 1.3 supported versions
server_supported_version: count &log &optional;
## TLS 1.3 Pre-shared key exchange modes
psk_key_exchange_modes: vector of count &log &optional;
## Key share groups from client hello
client_key_share_groups: vector of count &log &optional;
## Selected key share group from server hello
server_key_share_group: count &log &optional;
## Client supported compression methods
client_comp_methods: vector of count &log &optional;
## Server chosen compression method
comp_method: count &optional;
## Client supported signature algorithms
sigalgs: vector of count &log &optional;
## Client supported hash algorithms
hashalgs: vector of count &log &optional;
};
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
{
set_session(c);
c$ssl$client_ciphers = ciphers;
c$ssl$client_version = version;
c$ssl$client_comp_methods = comp_methods;
}
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
{
set_session(c);
c$ssl$server_version = version;
c$ssl$comp_method = comp_method;
}
event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
{
set_session(c);
c$ssl$ticket_lifetime_hint = ticket_lifetime_hint;
}
event ssl_extension(c: connection, is_client: bool, code: count, val: string)
{
set_session(c);
if ( is_client )
{
if ( ! c$ssl?$ssl_client_exts )
c$ssl$ssl_client_exts = vector();
c$ssl$ssl_client_exts[|c$ssl$ssl_client_exts|] = code;
}
else
{
if ( ! c$ssl?$ssl_server_exts )
c$ssl$ssl_server_exts = vector();
c$ssl$ssl_server_exts[|c$ssl$ssl_server_exts|] = code;
}
}
event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
{
if ( ! is_client )
return;
set_session(c);
c$ssl$point_formats = point_formats;
}
event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
{
if ( ! is_client )
return;
set_session(c);
c$ssl$client_curves = curves;
}
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, names: string_vec)
{
set_session(c);
if ( is_client )
c$ssl$orig_alpn = names;
}
event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
{
set_session(c);
local key_length = |Ys| * 8; # key length in bits
c$ssl$dh_param_size = key_length;
}
event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
{
set_session(c);
if ( is_client )
c$ssl$client_supported_versions = versions;
else
c$ssl$server_supported_version = versions[0];
}
event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
{
if ( ! is_client )
return;
set_session(c);
c$ssl$psk_key_exchange_modes = modes;
}
event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
{
set_session(c);
if ( is_client )
c$ssl$client_key_share_groups = curves;
else
c$ssl$server_key_share_group = curves[0];
}
event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec)
{
if ( ! is_client )
return;
set_session(c);
local sigalgs: index_vec = vector();
local hashalgs: index_vec = vector();
for ( i in signature_algorithms )
{
local rec = signature_algorithms[i];
sigalgs[|sigalgs|] = rec$SignatureAlgorithm;
hashalgs[|hashalgs|] = rec$HashAlgorithm;
}
c$ssl$sigalgs = sigalgs;
c$ssl$hashalgs = hashalgs;
}
Reference in a new issue View git blame Copy permalink