SSL
event handlersThe standard script handles the following events:
ssl_conn_attempt (c: connection, version: count, cipherSuites: cipher_suites_list)
c
when the analyzer sees a CLIENT-HELLO
of SSL version version
including the cipher suites the client offers cipherSuites
.
The version can be 0x0002
, 0x0300
or 0x0301
.
A new entry is generated inside the SSL connection table and the cipher suites
are listed. Ciphers, that are known as weak (according to a corresponding table of
weak ciphers) are logged inside the weak.log
file. This also happens to
cipher suites that we do not know yet.
Note: See the file ssl-ciphers.bro
for a list of known cipher suites.
ssl_conn_server_reply (c: connection, version: count, cipherSuites: cipher_suites_list)
SERVER-HELLO
of the SSL server.
It contains the SSL version the server wishes to use (Note: This finally determines, which SSL version will be used further) and the cipher suite he offers. If it is SSL version 3.0 or 3.1, the server determines
within this SERVER-HELLO
the cipher suite for the following connection (so it will only be one).
But if it's a SSL version 2.0 connection, the server only announces the cipher suites he supports and
it's up to the client to decide which one to use.
Again, the cipher suites are listed and weak and unknown cipher suites are reported inside
weak.log
.
ssl_certificate_seen (c: connection, isServer: int)
ssl_certificate (c: connection, cert: x509, isServer: bool)
isServer
) has been verified.
Note: We only verify certificates once. If we see them again, we only check if they have changed!
cert
holds the issuer and subject of the certificate, which gets stored
inside this SSL connection's information record inside the SSL connection table and
are written to ssl.log
.
ssl_conn_reused (c: connection, session_id: string)
session_id
holds
the session ID as string of the reused session and is written to ssl.log
.
Currently we don't do session tracking, because SSL version 2.0 doesn't
send the session ID in clear text when it's generated.
ssl_conn_established (c: connection, version: count, cipher_suite: count)
ssl.log
) if we have SSL version 3.0 or 3.1.
In case of SSL version 2.0 we can only determine the used cipher suite for
new sessions, not for reused ones. (Note: In SSL version 3.0 and 3.1 the
cipher suite to be used is already anounced in the SERVER-HELLO
.)
ssl_conn_alert (c: connection, version: count, level: count, description: count)
level
of the
alert (warning or fatal) and the description
are written into
ssl.log
. (Note: See ssl-alerts.bro
).
ssl_conn_weak (name: string, c: connection)
ssl_conn_attempt
, ssl_server_reply
, ssl_conn_established
),
ssl_conn_attempt
, ssl_server_reply
, ssl_conn_established
)
See weak.bro
.