[Bro] ssl analyzer

scott campbell scampbell at lbl.gov
Wed Sep 21 10:53:41 PDT 2005


bchen at cs.ucf.edu wrote:
> Hi all,
>   I am using Redhat Linux 7.3 with SSL v2 (has known vulnerability) to 
> do some
> experiments. I use Mozilla Firefox to access the https service in Linux 7.3
> that has a self-signed certificate. I let Bro monitor this access. The
> following log is in Weird log file.
> 
> 1127272310.138988 ** 192.168.1.2/47011 > 172.16.112.5/https: SSLv2: FATAL:
> recordLength doesn't match data block length!
> 1127272315.420757 ** 192.168.1.2/47012 > 172.16.112.5/https: SSLv2: FATAL:
> recordLength doesn't match data block length!
> 
> And the ssl.log is empty.
> 
> Two questions:
> (1)What are these two log entries about?
> (2)I found no event in the ssl analyzer was fired. I put a single print 
> command
> in each event handler in the ssl analyzer, and no single event handler was
> called. Why can this happen? Please be noted that I already load ssl in 
> mt.bro
> and I run bro like this "./bro -i eth1 mt".
> 
> Any suggestion or comment?
> 
> thanks for your time
> 
> 
> Bing
> 
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

The two errors are from the event generation side of bro in SSLv2.cc, in 
the section where the record header is being analyzed.  The analysis 
probably does not even get to the policy side, so adding further print 
statements will not get you anywhere.

Look at SSLv2_Interpreter::NewSSLRecord() , there is a consistency test 
being done between the length of the header record and the value that 
the header record claims.  Probably around line 154 or 170.

If you have a trace of this transaction, I would be happy to run it and 
see if there is a problem with the analyzer.

thanks!

scott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050921/a4d2b591/attachment.bin 


More information about the Bro mailing list