53 lines
1.7 KiB
Plaintext
53 lines
1.7 KiB
Plaintext
# @TEST-DOC: Implement disabling_analyzer hook to keep the SSL analyzer enabled for a bit longer.
|
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls1.2.trace %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
@load base/protocols/ssl
|
|
|
|
# This is the default, but make it explicit.
|
|
redef SSL::disable_analyzer_after_detection = T;
|
|
|
|
redef record SSL::Info += {
|
|
encrypted_data: count &default=0;
|
|
};
|
|
|
|
# After how many ssl_encrypted_data events to disable the analyzer. The
|
|
# pcap triggers seven, the handshake is over after the first two.
|
|
global encrypted_data_wanted = 4;
|
|
|
|
# Prevent disabling the SSL analyzer for this connection until we've seen encrypted_data_wanted
|
|
# encrypted data events on it. Our ssl_encrypted_data event handler has the inverse condition.
|
|
hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
|
|
{
|
|
print "disabling_analyzer", c$id, atype, aid;
|
|
if ( atype != Analyzer::ANALYZER_SSL || ! c?$ssl )
|
|
return;
|
|
|
|
if ( c$ssl$encrypted_data < encrypted_data_wanted )
|
|
{
|
|
print "preventing disabling_analyzer", c$id, atype, aid;
|
|
break;
|
|
}
|
|
|
|
print "allowing disabling_analyzer", c$id, atype, aid;
|
|
}
|
|
|
|
event ssl_established(c: connection)
|
|
{
|
|
print "established", c$id;
|
|
}
|
|
|
|
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
|
|
{
|
|
print "analyzer_confirmation", info$c$id, atype, info$aid;
|
|
}
|
|
|
|
event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
|
|
{
|
|
++c$ssl$encrypted_data;
|
|
print "encrypted_data", c$id, is_client, content_type, length, c$ssl$encrypted_data;
|
|
|
|
if ( c$ssl?$analyzer_id && c$ssl$encrypted_data >= encrypted_data_wanted )
|
|
disable_analyzer(c$id, c$ssl$analyzer_id);
|
|
}
|