Previous: SSL variables, Up: SSL Analyzer



7.23.4 SSL event handlers

The standard script handles the following events:

ssl_conn_attempt (c: connection, version: count, cipherSuites: cipher_suites_list)
Invoked upon the client side of connection c when the analyzer sees a CLIENT-HELLO of SSL version version including the cipher suites the client offers cipherSuites.

The version can be 0x0002, 0x0300 or 0x0301. A new entry is generated inside the SSL connection table and the cipher suites are listed. Ciphers, that are known as weak (according to a corresponding table of weak ciphers) are logged inside the weak.log file. This also happens to cipher suites that we do not know yet. Note: See the file ssl-ciphers.bro for a list of known cipher suites.

ssl_conn_server_reply (c: connection, version: count, cipherSuites: cipher_suites_list)
This event is invoked upon the analyzer receiving a SERVER-HELLO of the SSL server. It contains the SSL version the server wishes to use (Note: This finally determines, which SSL version will be used further) and the cipher suite he offers. If it is SSL version 3.0 or 3.1, the server determines within this SERVER-HELLO the cipher suite for the following connection (so it will only be one). But if it's a SSL version 2.0 connection, the server only announces the cipher suites he supports and it's up to the client to decide which one to use.

Again, the cipher suites are listed and weak and unknown cipher suites are reported inside weak.log.

ssl_certificate_seen (c: connection, isServer: int)
Invoked whenever we see a certificate from client or server but before verification of the certificate takes place. This may be useful, if you want to do something before certificate verification (e.g. do not verify certificates of some given servers).
ssl_certificate (c: connection, cert: x509, isServer: bool)
Invoked after the certificate from server or client (isServer) has been verified. Note: We only verify certificates once. If we see them again, we only check if they have changed! cert holds the issuer and subject of the certificate, which gets stored inside this SSL connection's information record inside the SSL connection table and are written to ssl.log.
ssl_conn_reused (c: connection, session_id: string)
Invoked whenever a former SSL session is reused. session_id holds the session ID as string of the reused session and is written to ssl.log. Currently we don't do session tracking, because SSL version 2.0 doesn't send the session ID in clear text when it's generated.
ssl_conn_established (c: connection, version: count, cipher_suite: count)
Invoked when the handshaking phase of an SSL connection is finished. We see the used SSL version and the cipher suite that will be used for cryptography (written to ssl.log) if we have SSL version 3.0 or 3.1. In case of SSL version 2.0 we can only determine the used cipher suite for new sessions, not for reused ones. (Note: In SSL version 3.0 and 3.1 the cipher suite to be used is already anounced in the SERVER-HELLO.)
ssl_conn_alert (c: connection, version: count, level: count, description: count)
Invoked when the analyzer receives an SSL alert. The level of the alert (warning or fatal) and the description are written into ssl.log. (Note: See ssl-alerts.bro).
ssl_conn_weak (name: string, c: connection)
This event is called when the analyzer sees:

See weak.bro.