mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
e14eddeb97
This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198. |
||
|---|---|---|
| .. | ||
| conn | ||
| dce-rpc | ||
| dhcp | ||
| dnp3 | ||
| dns | ||
| ftp | ||
| http | ||
| imap | ||
| irc | ||
| krb | ||
| modbus | ||
| mqtt | ||
| mysql | ||
| ntlm | ||
| ntp | ||
| pop3 | ||
| radius | ||
| rdp | ||
| rfb | ||
| sip | ||
| smb | ||
| smtp | ||
| snmp | ||
| socks | ||
| ssh | ||
| ssl | ||
| syslog | ||
| tunnels | ||
| xmpp | ||