ssl analyzer

Zeek
1

Hi all,
   I am using Redhat Linux 7.3 with SSL v2 (has known vulnerability) to do some
experiments. I use Mozilla Firefox to access the https service in Linux 7.3
that has a self-signed certificate. I let Bro monitor this access. The
following log is in Weird log file.

1127272310.138988 ** 192.168.1.2/47011 > 172.16.112.5/https: SSLv2: FATAL:
recordLength doesn't match data block length!
1127272315.420757 ** 192.168.1.2/47012 > 172.16.112.5/https: SSLv2: FATAL:
recordLength doesn't match data block length!

And the ssl.log is empty.

Two questions:
(1)What are these two log entries about?
(2)I found no event in the ssl analyzer was fired. I put a single print command
in each event handler in the ssl analyzer, and no single event handler was
called. Why can this happen? Please be noted that I already load ssl in mt.bro
and I run bro like this "./bro -i eth1 mt".

Any suggestion or comment?

thanks for your time

Bing

2

bchen@cs.ucf.edu wrote:

Hi all,
  I am using Redhat Linux 7.3 with SSL v2 (has known vulnerability) to do some
experiments. I use Mozilla Firefox to access the https service in Linux 7.3
that has a self-signed certificate. I let Bro monitor this access. The
following log is in Weird log file.

1127272310.138988 ** 192.168.1.2/47011 > 172.16.112.5/https: SSLv2: FATAL:
recordLength doesn't match data block length!
1127272315.420757 ** 192.168.1.2/47012 > 172.16.112.5/https: SSLv2: FATAL:
recordLength doesn't match data block length!

And the ssl.log is empty.

Two questions:
(1)What are these two log entries about?
(2)I found no event in the ssl analyzer was fired. I put a single print command
in each event handler in the ssl analyzer, and no single event handler was
called. Why can this happen? Please be noted that I already load ssl in mt.bro
and I run bro like this "./bro -i eth1 mt".

Any suggestion or comment?

thanks for your time

Bing

_______________________________________________
Bro mailing list
bro@bro-ids.org
mailman.icsi.berkeley.edu Mailing Lists

The two errors are from the event generation side of bro in SSLv2.cc, in the section where the record header is being analyzed. The analysis probably does not even get to the policy side, so adding further print statements will not get you anywhere.

Look at SSLv2_Interpreter::NewSSLRecord() , there is a consistency test being done between the length of the header record and the value that the header record claims. Probably around line 154 or 170.

If you have a trace of this transaction, I would be happy to run it and see if there is a problem with the analyzer.

thanks!

scott