mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
c92bf9bad2
This event is the replacement for ssl_application_data, which is removed in the same commit. It is more generic, containing more information than ssl_application_dataand is raised for all SSL/TLS messages that are exchanged before encryption starts. It is used by Bro internally to determine when a TLS1.3 session has been completely established. Apart from that, it can be used to, e.g., determine the record layer TLS version.
33 lines
1.1 KiB
Text
33 lines
1.1 KiB
Text
# This tests events not covered by other tests
|
|
|
|
# @TEST-EXEC: bro -b -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
@load base/protocols/ssl
|
|
|
|
redef SSL::disable_analyzer_after_detection=F;
|
|
|
|
event ssl_established(c: connection)
|
|
{
|
|
print "Established", c$id$orig_h, c$id$resp_h;
|
|
}
|
|
|
|
event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count)
|
|
{
|
|
print "Handshake", c$id$orig_h, c$id$resp_h, is_orig, msg_type, length;
|
|
}
|
|
|
|
event ssl_change_cipher_spec(c: connection, is_orig: bool)
|
|
{
|
|
print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
|
|
}
|
|
|
|
event ssl_plaintext_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
|
{
|
|
print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
|
|
}
|
|
|
|
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
|
{
|
|
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
|
|
}
|