istate.events-ssl test

Jonathan_Siwek · June 10, 2011, 8:18pm

Robin,

I think w/ the new commits I just did on fastpath all the current unit tests are passing except for istate.events-ssl. What's the status of that one? Looks like it's just missing a baseline?

- Jon

$ btest -D istate/events-ssl.bro
istate.events-ssl ... failed
  % 'btest-diff sender/http.log' failed unexpectedly (exit code 100)
  % cat .diag
  == File ===============================
  1307736535.043138 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
  1307736535.043138 %events-send-1 > USER-AGENT: Wget/1.10
  1307736535.043138 %events-send-1 > ACCEPT: */*
  1307736535.043138 %events-send-1 > HOST: www.icir.org
  1307736535.043138 %events-send-1 > CONNECTION: Keep-Alive
  1307736535.227178 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
  1307736535.227178 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
  1307736535.227178 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
  1307736535.227178 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
  1307736535.227178 %events-send-1 < ACCEPT-RANGES: bytes
  1307736535.227178 %events-send-1 < CONTENT-LENGTH: 9130
  1307736535.227178 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
  1307736535.227178 %events-send-1 < CONNECTION: Keep-Alive
  1307736535.227178 %events-send-1 < CONTENT-TYPE: text/html
  1307736535.411667 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
  1307736535.411961 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
  1307736535.595485 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
  1307736535.595485 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
  == Error ===============================
  test-diff: no baseline found.

Seth_Hall3 · June 10, 2011, 8:22pm

SSL is going to a bit messed up for now because the new analyzer has been merged in but there isn't a script to go with it. Partly because I'm running into a bug with it the core analyzer and I can't really write a comprehensive script yet.

.Seth

robin · June 10, 2011, 8:52pm

I think w/ the new commits I just did on fastpath all the current unit
tests are passing except for istate.events-ssl.

Great, thanks! I'll merge that soon.

What's the status of that one? Looks like it's just missing a
baseline?

No, the SSL communication is actually not working for a reason I
haven't figured out yet. The same kind of test worked fine with Bro
1.5 and the old istate test-suite but seems something broke when I
rewrote the test for btest. Not sure yet what.

1307736535.043138 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80

Note that this is only the sender side; iirc, I didn't see anything
received on at the other end, and the connection was just aborted.

Robin

robin · June 10, 2011, 8:53pm

(This is about SSL-encrypted Bro-to-Bro communication, not related to
the analyzer.)

Robin

Jonathan_Siwek · June 13, 2011, 5:31pm

No, the SSL communication is actually not working for a reason I
haven't figured out yet. The same kind of test worked fine with Bro
1.5 and the old istate test-suite but seems something broke when I
rewrote the test for btest. Not sure yet what.

The CA cert that the test is using expired last March. (see output at bottom).

> 1307736535.043138 %events-send-1 start 141.42.64.125:56730 >
> 125.190.109.199:80

Note that this is only the sender side; iirc, I didn't see anything
received on at the other end, and the connection was just aborted.

I tried generating my own keys and replacing what was in the test and the receiver looks like it saw everything (again output below). Let me know if it looks right to you and I can probably follow through and commit a working test unless you want to.

- Jon

$ openssl x509 -in ca_cert.pem -noout -enddate
notAfter=Mar 10 04:13:23 2011 GMT

$ ssldump -i lo0
New TCP connection #1: localhost(51344) <-> localhost(47756)
1 1 0.0011 (0.0011) C>S Handshake
      ClientHello
        Version 3.0
        cipher suites
        Unknown value 0x3a
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0x35
        Unknown value 0x34
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0x2f
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                unknown value
                  NULL
1 2 0.0012 (0.0001) S>C Handshake
      ServerHello
        Version 3.0
        session_id[32]=
          d7 3d eb 9a c8 d9 f1 e7 de fb 3a 2a 2d c3 4f 64
          cc 26 46 d1 e0 41 34 2c 95 a9 8c 37 f9 8c 51 43
        cipherSuite Unknown value 0x35
        compressionMethod unknown value
1 3 0.0012 (0.0000) S>C Handshake
      Certificate
1 4 0.0012 (0.0000) S>C Handshake
      CertificateRequest
        certificate_types rsa_sign
        certificate_types dss_sign
      ServerHelloDone
1 5 0.0023 (0.0010) C>S Alert
    level fatal
    value certificate_expired
1 6 0.0025 (0.0001) C>S Alert
    level fatal
    value certificate_expired
1 7 0.0027 (0.0001) C>S Alert
    level fatal
    value certificate_expired
1 0.0027 (0.0000) C>S TCP FIN
1 0.0029 (0.0001) S>C TCP FIN

# after replacing keys

$ btest -D istate/events-ssl.bro
istate.events-ssl ... failed
  % 'btest-diff sender/http.log' failed unexpectedly (exit code 100)
  % cat .diag
  == File ===============================
  1307985621.588992 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
  1307985621.588992 %events-send-1 > USER-AGENT: Wget/1.10
  1307985621.588992 %events-send-1 > ACCEPT: */*
  1307985621.588992 %events-send-1 > HOST: www.icir.org
  1307985621.588992 %events-send-1 > CONNECTION: Keep-Alive
  1307985621.773032 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
  1307985621.773032 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
  1307985621.773032 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
  1307985621.773032 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
  1307985621.773032 %events-send-1 < ACCEPT-RANGES: bytes
  1307985621.773032 %events-send-1 < CONTENT-LENGTH: 9130
  1307985621.773032 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
  1307985621.773032 %events-send-1 < CONNECTION: Keep-Alive
  1307985621.773032 %events-send-1 < CONTENT-TYPE: text/html
  1307985621.957521 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
  1307985621.957815 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
  1307985622.141339 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
  1307985622.141339 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
  == Error ===============================
  test-diff: no baseline found.

robin · June 15, 2011, 7:54pm

(This was supposed to have been sent already ...)

The CA cert that the test is using expired last March. (see output at bottom).

D'oh! That's something Bro should report a bit more directly I guess ...

I tried generating my own keys and replacing what was in the test and
the receiver looks like it saw everything (again output below).

Yes, looks good. It should match the output from the clear-text
version of the test. If that's the case, feel free to commit.

Thanks!

Robin

Topic		Replies	Views
New SSL analyzer Development development	1	82	May 6, 2022
Recommendations on SSL events in notice.log Zeek	1	76	May 6, 2022
No http.log and dns.log missing Zeek	4	67	May 6, 2022
$history extensions - zero windows, logarithmic counts Development development	9	81	May 6, 2022
ssl analyzer Zeek	2	77	May 6, 2022

istate.events-ssl test

Related Topics