Skip to content
This repository has been archived by the owner on Apr 1, 2024. It is now read-only.

Include Zeek scripts for JA3/JA3s and HASSH #11

Closed
philrz opened this issue Apr 7, 2020 · 3 comments · Fixed by #30
Closed

Include Zeek scripts for JA3/JA3s and HASSH #11

philrz opened this issue Apr 7, 2020 · 3 comments · Fixed by #30
Assignees
@nwt @philrz
Milestone
Brim v0.11.0

Comments

@philrz
Copy link

philrz commented Apr 7, 2020

As described in the Brim v0 demo video, JA3/JA3S and HASSH are well-known scripts in the Zeek community for gaining insight into encrypted traffic. As their licenses appear to allow their use in tools such as Brim, they should be included as part of the default configuration in its embedded Zeek. This way the additional logs/fields they generate will be part of the Zeek events generated when Brim processes a pcap file that was opened in the app by the user.

Scope of the implementation includes:

  1. Including the licenses in the Acknowledgments that ship with the app
  2. Ensuring the scripts are packaged correctly into artifacts on all supported Brim platforms
  3. Ensuring Zeek logs generated on all supported Brim platforms include the expected additional logs/fields
@philrz
Copy link
Author

philrz commented Apr 7, 2020

Implementation note: Just to prove to myself that this would be pretty trivial, using an npm install'd local Dev checkout of Brim in my ~work/brim, I was able to get JA3/HASSH data included in my generated logs with these simple steps:

~/work$ git clone https://github.com/salesforce/ja3.git
~/work$ git clone https://github.com/salesforce/hassh.git
~/work$ cd ~/work/brim
~/work/brim$ mv ~/work/ja3/zeek zdeps/zeek/share/zeek/site/ja3
~/work/brim$ mv ~/work/hassh/bro zdeps/zeek/share/zeek/site/hassh
~/work/brim$ echo "@load ./ja3" >> zdeps/zeek/share/zeek/site/local.zeek
~/work/brim$ echo "@load ./hassh" >> zdeps/zeek/share/zeek/site/local.zeek

@philrz philrz mentioned this issue Apr 7, 2020
Closed
@philrz philrz self-assigned this Apr 10, 2020
@philrz
Copy link
Author

philrz commented Apr 20, 2020

I've put up a PR at salesforce/hassh#10 to try and get HASSH de-Bro'ed before we include it in Brim. I also pinged Ben Reardon on Slack to see if he could help push it through with his contacts back at Salesforce.

nwt pushed a commit that referenced this issue Apr 24, 2020
@MaxKellermann
analyzer/protocol/ssh: fix crash vulnerability after duplicate KEX pa…
98c5053 
…cket

An attacker can make Zeek crash by posting the KEX packet twice, which
will result in an assertion failure in binpac::datastring::init():

 #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 #1  0x00007ffff5196535 in __GI_abort () at abort.c:79
 #2  0x00007ffff519640f in __assert_fail_base (fmt=0x7ffff52f86e0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x1d33530 "!data_",
     file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h", line=108, function=<optimized out>) at assert.c:92
 #3  0x00007ffff51a3b92 in __GI___assert_fail (assertion=0x1d33530 "!data_", file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h",
     line=108, function=0x1d3356c "void binpac::datastring<unsigned char>::init(const T *, int) [T = unsigned char]") at assert.c:101
 #4  0x0000000000c1e970 in binpac::datastring<unsigned char>::init (this=0x608000d609d0, begin=0x603001bdd1d0 "diffie-hellman-group16-sha512", length=29)
     at aux/binpac/lib/binpac_bytestring.h:108
 #5  0x0000000000e9ab60 in binpac::SSH::SSH_Conn::update_kex (this=0x608000d609a0, algs=..., orig=true) at src/analyzer/protocol/ssh/ssh_pac.cc:205
 #6  0x0000000000ea0d06 in binpac::SSH::SSH2_KEXINIT::Parse (this=0x60b000734680,
     t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1598
 #7  0x0000000000e9f8f4 in binpac::SSH::SSH2_Message::Parse (this=0x608000d60ea0,
     t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1326
 #8  0x0000000000e9d7e1 in binpac::SSH::SSH2_Key_Exchange::Parse (this=0x604001779850,
     t_begin_of_data=0x621000004751 "\006\024\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1210
 #9  0x0000000000e9c981 in binpac::SSH::SSH_Key_Exchange::ParseBuffer (this=0x603001bdccc0, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90,
     t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:628
 #10 0x0000000000e9c26c in binpac::SSH::SSH_PDU::ParseBuffer (this=0x604001779810, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90)
     at src/analyzer/protocol/ssh/ssh_pac.cc:446
 #11 0x0000000000ea6f04 in binpac::SSH::SSH_Flow::NewData (this=0x604001774690, t_begin_of_data=0x62100000474d "",
     t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:3071
 #12 0x0000000000e9a38f in binpac::SSH::SSH_Conn::NewData (this=0x608000d609a0, is_orig=true, begin=0x62100000474d "",
     end=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:63
 #13 0x0000000000e98335 in analyzer::SSH::SSH_Analyzer::DeliverStream (this=0x7fffffffdd40, len=1080, data=0x62100000474d "", orig=true)
     at src/analyzer/protocol/ssh/SSH.cc:68

With assertions turned off, this would "only" be a memory leak.

This commit fixes the vulnerability by freeing and clearing the
`binpac::datastring` before assigning a new value.
This was referenced Apr 26, 2020
Closed
Closed
@philrz philrz added this to the Brim v0.10.0 milestone May 4, 2020
@philrz philrz modified the milestones: Brim v0.10.0, Brim v0.11.0 Jun 1, 2020
@nwt nwt mentioned this issue Jun 4, 2020
Merged
@philrz philrz closed this as completed in #30 Jun 4, 2020
@philrz
Copy link
Author

philrz commented Jun 5, 2020

Verified in Brim commit e079837.

To verify, I made release artifacts on macOS, Windows, and Linux at that commit and imported pcaps to confirm the generated Zeek data now has the JA3/HASSH fields on ssl and ssh events, respectively.

On macOS:

image

image

On Linux:

image

image

On Windows:

image

image

Thanks @nwt!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nwt nwt

@philrz philrz

Labels
None yet
Projects
None yet
Milestone
Brim v0.11.0
Development

Successfully merging a pull request may close this issue.

Install hassh and ja3 Zeek packages brimdata/zeek
2 participants
@nwt @philrz