An design error was made when doing the TLS storage module which
has been made dependant of the TLS logging. At the time there was
only one TLS logging module but there is now two different ones.
By putting the TLS store module in a separate module, we can now
use EVE output and TLS store at the same time.
The OpenSSL implementation of RFC 6520 (Heartbeat extension) does not
check the payload length correctly, resulting in a copy of at most 64k
of memory from the server (ref: CVE-2014-0160).
This patch adds support for decoding heartbeat messages (if not
encrypted), and checking several parts (type, length and padding).
When an anomaly is detected, a TLS event is raised.
This patch converts log-tls to use the packet logger API. The packet
logger API was choosen as the TLS parser is not transaction aware.
To make sure the state is only logged once, the flag
SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked
by the condition function, and set at the end of the Logger function.
The parser wasn't carrying out a bounds check on record length while
in the middle of parsing a handshake. As a result we would step onto the
next record header and consider it a part of the current handshake.
- Contains an unittest to test the issue.
- Disable the duplicate parser unittest registration.
The issue came to light through an irregular ssl record, which was
reported by Sebastian Roschke, via CVE-2013-5919.
Thanks to Sebastian Roschke for reporting this issue.
When multiple certificates forming a chain are sent. A pointer to
the start of each certificate is kept. This will allow treatment
on certificates chains.
This patch adds a TLS store option to save certificate in PEM format.
Each time the store action is met, a file and a metafile are created.
Reworked-by: Eric Leblond <eric@regit.org>
Since we now parse the content of the TLS messages, we need to handle
the case multiple messages are shipped in a single TLS record, and
taking care of the multiple levels of fragmentation (message, record,
and TCP).
Additionally, fix a bug where the parser state was not reset after an
empty record.
Decode the SERVER_HELLO message to extract the ciphersuite and compression
chosen by the server.
Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the
certificates and keep the subject name.
Add the tls.subject keyword for substring match in rules (TLS layer).
Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
Eric Leblond
Victor Julien
Will Metcalf
Pierre Chifflier
Anoop Saldanha
Jean-Paul Roliers
Anoop Saldanha
Gurvinder Singh