mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
c05e07cc90
This exposes the record layer version of the fragment in addition to the content type and the length. The ordering of the arguments in the event is the same as the ordering in the protocol message (first type, then version, then length). This also includes a slight change to the analyzer, no longer calling the generate function if the event is not used.
28 lines
847 B
Text
28 lines
847 B
Text
# This tests events not covered by other tests
|
|
|
|
# @TEST-EXEC: bro -b -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
@load base/protocols/ssl
|
|
|
|
redef SSL::disable_analyzer_after_detection=F;
|
|
|
|
event ssl_established(c: connection)
|
|
{
|
|
print "Established", c$id$orig_h, c$id$resp_h;
|
|
}
|
|
|
|
event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count)
|
|
{
|
|
print "Handshake", c$id$orig_h, c$id$resp_h, is_orig, msg_type, length;
|
|
}
|
|
|
|
event ssl_change_cipher_spec(c: connection, is_orig: bool)
|
|
{
|
|
print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
|
|
}
|
|
|
|
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
|
|
{
|
|
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
|
|
}
|