How to activate extended ssl log information

Development
1

Hi
I try to use the ssl extended log without any success
I’m using the most updated Zeek running on Ubuntu
I used tls1.2 but can’t see any new info e.g. DH key exchange etc
I added the following to the local.zeek:
@load protocols/ssl
@load policy/protocols/ssl/ssl-log-ext
@load policy/protocols/ssl/enable-logging
redef SSL::log_key_material = T;
redef SSL::log_dh_params = T;
redef SSL::log_dh_keys = T;
redef SSL::extension_supported_versions = T;
redef SSL::log_extended = T;

And rerun the zeek, I can see that the local.zeek is in ./usr/local/zeek/share/zeek/site/local.zeek, s probably it was used (how can I verify that this is the right?)

But nothing was change, probably, I’m missing something
Any idea?

2

Hi there,

Simply loading policy/protocols/ssl/ssl-log-ext should be all that’s needed to expand the log. I’m struggling to understand where the scripts and values in your snippet are coming from — are policy/protocols/ssl/enable-logging and variables like SSL::log_key_material things you’ve added? Similarly there’s an event called ssl_extension_supported_versions but I don’t see an SSL::extension_supported_versions Boolean anywhere.

Assuming your local.zeek is correct for your installation then you have a few options:

If you’re using zeekctl, you can check the sequence of scripts loaded via the zeekctl scripts command. Also make sure you’ve run zeekctl deploy to install your updated scripts.

If you’re not using zeekctl, you can add policy/misc/loaded-scripts to your setup to get a loaded_scripts log that reports the same sequence of loaded scripts.

Best,
Christian

3

Hi

Thanks for the quick response
I’m running it in a docker, I used the blacktop image, so I assume that when it starts, it uses tge local.zeek
At the beginning, I added the
@load policy/protocols/ssl/ssl-log-ext
But it didn’t add any extended log information (and I communicated using tls1.2)
So I tryed to add all the other commands (which didn’t help)
Should I do anything other than adding then adding the @load policy/protocols/ssl/ssl-log-ext to the locak.zeek?
The zeek it self is running (I can see the ssl.log)

Thanks again for your help

Have a nice day

4

I recommend you use our Docker images since they’re more recent. Here’s a demo that shows that adding just the ssl-log-ext script is all that’s required. This uses one of our own TLS 1.2 test pcaps:

$ docker run -it zeek/zeek
root@672ce696e64a:/# zeek --version
zeek version 5.2.1
root@672ce696e64a:/# apt-get -qq update
root@672ce696e64a:/# apt-get install -y wget >/dev/null 2>&1
root@672ce696e64a:/# wget --quiet -O tls1.2.trace "https://github.com/zeek/zeek/blob/master/testing/btest/Traces/tls/tls1.2.trace?raw=true"
root@672ce696e64a:/# zeek -r tls1.2.trace
root@672ce696e64a:/# cat ssl.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   ssl
#open   2023-04-14-00-13-01
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       version cipher  curve   server_name     resumed last_alert      next_protocol   established     ssl_history     cert_chain_fps  client_cert_chain_fps   sni_matches_cert
#types  time    string  addr    port    addr    port    string  string  string  string  bool    string  string  bool    string  vector[string]  vector[string]  bool
1357328848.549370       C1Wo982hrLxFvBYou3      10.0.0.80       56637   68.233.76.12    443     TLSv12  TLS_RSA_WITH_RC4_128_MD5        -       -       F       -       -       T       CsxnGIi 95cb443934beda97627688546191ab1d3989a835592cebdd2434f9ad41324ce1,7363593d116aafcf804b974465546e1f02ed74b52db529ba7520345e5fed1ed4,687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2   (empty) -
#close  2023-04-14-00-13-02
root@672ce696e64a:/# zeek -r tls1.2.trace policy/protocols/ssl/ssl-log-ext
root@672ce696e64a:/# cat ssl.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   ssl
#open   2023-04-14-00-13-28
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       version cipher  curve   server_name     resumed last_alert      next_protocol   established     ssl_history     cert_chain_fps  client_cert_chain_fps   sni_matches_cert     server_version  client_version  client_ciphers  ssl_client_exts ssl_server_exts ticket_lifetime_hint    dh_param_size   point_formats   client_curves   orig_alpn       client_supported_versions       server_supported_version        psk_key_exchange_modes       client_key_share_groups server_key_share_group  client_comp_methods     sigalgs hashalgs
#types  time    string  addr    port    addr    port    string  string  string  string  bool    string  string  bool    string  vector[string]  vector[string]  bool    count   count   vector[count]   vector[count]   vector[count]   count   count   vector[count]        vector[count]   vector[string]  vector[count]   count   vector[count]   vector[count]   count   vector[count]   vector[count]   vector[count]
1357328848.549370       CS6Mq8cLDBNpa1Iu5       10.0.0.80       56637   68.233.76.12    443     TLSv12  TLS_RSA_WITH_RC4_128_MD5        -       -       F       -       -       T       CsxnGIi 95cb443934beda97627688546191ab1d3989a835592cebdd2434f9ad41324ce1,7363593d116aafcf804b974465546e1f02ed74b52db529ba7520345e5fed1ed4,687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2   (empty) -       771     771     49200,49196,49192,49188,49172,49162,49186,49185,163,159,107,106,57,56,136,135,49202,49198,49194,49190,49167,49157,157,61,53,132,49170,49160,49180,49179,22,19,49165,49155,10,49199,49195,49191,49187,49171,49161,49183,49182,162,158,103,64,51,50,154,153,69,68,49201,49197,49193,49189,49166,49156,156,60,47,150,65,7,49169,49159,49164,49154,5,4,21,18,9,20,17,8,6,3,255        11,10,35,13,15  65281   -       -       -       14,13,25,11,12,24,9,10,22,23,8,6,7,20,21,4,5,18,19,1,2,3,15,16,17       -       -       -       -       -       -       1,0     1,2,3,1,2,3,1,2,3,1,2,3,1,2,3,1 6,6,6,5,5,5,4,4,4,3,3,3,2,2,2,1
#close  2023-04-14-00-13-28

Best,
Christian

1 Like
5

Hi

The results you sent seems great, thanks
Will try your docker
Just to be sure, what is the exact command that you used when you run you docker?

Have a nice day
Ravid

6

Hi

I downloaded your lts image however, I didn’t find how to run it when I need to:

  1. Use my local.zeek
  2. Set the network interface to be other than eth0 and to be configurable
    I didn’t find any relevant documentation

Can you please tell me how to do it or where is the relevant document?

Thanks in advance

Have a nice day
Ravid

7

Think that’s mostly docker usability? You can bind-mount a file into the container and access it there. When you start the container with --net=host, you have access to all the host’s interfaces.

$ echo "@load policy/protocols/ssl/ssl-log-ext" > my-local.zeek
# Bind-mount my-local.zeek into container as /local.zeek
$ docker run -v$(pwd)/my-local.zeek:/local.zeek -it --rm --net=host zeek/zeek


# In the container:
$ cat /local.zeek 
@load policy/protocols/ssl/ssl-log-ext
$ cat /proc/net/dev | cut -d ':' -f 1
...
wlp0s20f3

# Sniff the wlan interface using custom local.zeek
$ zeek -C -i wlp0s20f3 /local.zeek
1 Like
8

Hi

Thanks a lot for your fast reply
I try to run the docker run with the -i parameter but received an error
What I’m more missing?
Is there a documented option to use docker-compose to use with the zeek?

Have a nice day
Ravid

9

Please share the full command you’re running and the output it produces, it’s otherwise hard to see what’s actually happening.

You replaced “wlp0s20f3” with an interface name of your system, yes?