mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 00:58:19 +00:00
Change x509 log - now certificates are only logged once per hour.
Add parsing of several more types to SAN extension. Make error messages of x509 file analyzer more useful. Fix file ID generation. You apparently have to be very careful which EndOfFile function of the file analysis framework you call... otherwhise it might try to close another file id. This took me quite a while to find. addresses BIT-953, BIT-760, BIT-1150
This commit is contained in:
Bernhard Amann
parent
7eb6b5133e
commit
0d50b8b04f
10 changed files with 242 additions and 55 deletions
|
|
@ -11,29 +11,34 @@ export {
|
|||
## complete signing chain.
|
||||
cert_chain: vector of Files::Info &optional;
|
||||
|
||||
## An ordered vector of all certicate file unique IDs for the
|
||||
## An ordered vector of all certicate sha1 hashes for the
|
||||
## certificates offered by the server.
|
||||
cert_chain_fuids: vector of string &optional &log;
|
||||
cert_chain_sha1s: vector of string &optional &log;
|
||||
|
||||
## Chain of certificates offered by the client to validate its
|
||||
## complete signing chain.
|
||||
client_cert_chain: vector of Files::Info &optional;
|
||||
|
||||
## An ordered vector of all certicate file unique IDs for the
|
||||
## An ordered vector of all certicate sha1 hashes for the
|
||||
## certificates offered by the client.
|
||||
client_cert_chain_fuids: vector of string &optional &log;
|
||||
client_cert_chain_sha1s: vector of string &optional &log;
|
||||
|
||||
## Subject of the X.509 certificate offered by the server.
|
||||
subject: string &log &optional;
|
||||
subject: string &log &optional;
|
||||
## Subject of the signer of the X.509 certificate offered by the
|
||||
## server.
|
||||
issuer: string &log &optional;
|
||||
issuer: string &log &optional;
|
||||
|
||||
## Subject of the X.509 certificate offered by the client.
|
||||
client_subject: string &log &optional;
|
||||
client_subject: string &log &optional;
|
||||
## Subject of the signer of the X.509 certificate offered by the
|
||||
## client.
|
||||
client_issuer: string &log &optional;
|
||||
client_issuer: string &log &optional;
|
||||
|
||||
## current number of certificates seen from either side. Used
|
||||
## to create file handles
|
||||
server_depth: count &default=0;
|
||||
client_depth: count &default=0;
|
||||
};
|
||||
|
||||
## Default file handle provider for SSL.
|
||||
|
|
@ -45,7 +50,22 @@ export {
|
|||
|
||||
function get_file_handle(c: connection, is_orig: bool): string
|
||||
{
|
||||
return cat(Analyzer::ANALYZER_SSL, c$start_time);
|
||||
set_session(c);
|
||||
|
||||
local depth: count;
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
depth = c$ssl$client_depth;
|
||||
++c$ssl$client_depth;
|
||||
}
|
||||
else
|
||||
{
|
||||
depth = c$ssl$server_depth;
|
||||
++c$ssl$server_depth;
|
||||
}
|
||||
|
||||
return cat(Analyzer::ANALYZER_SSL, c$start_time, is_orig, id_string(c$id), depth);
|
||||
}
|
||||
|
||||
function describe_file(f: fa_file): string
|
||||
|
|
@ -54,7 +74,19 @@ function describe_file(f: fa_file): string
|
|||
if ( f$source != "SSL" )
|
||||
return "";
|
||||
|
||||
# Fixme!
|
||||
# It is difficult to reliably describe a certificate - especially since
|
||||
# we do not know when this function is called (hence, if the data structures
|
||||
# are already populated).
|
||||
#
|
||||
# Just return a bit of our connection information and hope that that is good enough.
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
if ( f$conns[cid]?$ssl )
|
||||
{
|
||||
local c = f$conns[cid];
|
||||
return cat(c$id$resp_h, ":", c$id$resp_p);
|
||||
}
|
||||
}
|
||||
|
||||
return "";
|
||||
}
|
||||
|
|
@ -75,30 +107,22 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
{
|
||||
c$ssl$cert_chain = vector();
|
||||
c$ssl$client_cert_chain = vector();
|
||||
c$ssl$cert_chain_fuids = string_vec();
|
||||
c$ssl$client_cert_chain_fuids = string_vec();
|
||||
}
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
|
||||
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
|
||||
}
|
||||
else
|
||||
{
|
||||
c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
|
||||
c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
|
||||
}
|
||||
|
||||
Files::add_analyzer(f, Files::ANALYZER_X509);
|
||||
# always calculate hashes for certificates
|
||||
# always calculate hashes. SHA1 is always required for certificates.
|
||||
Files::add_analyzer(f, Files::ANALYZER_MD5);
|
||||
Files::add_analyzer(f, Files::ANALYZER_SHA1);
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &priority=6
|
||||
{
|
||||
# update subject and issuer information
|
||||
# update subject and issuer information as well as sha1 hashes
|
||||
if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
|
||||
{
|
||||
c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
|
||||
|
|
@ -110,4 +134,19 @@ event ssl_established(c: connection) &priority=6
|
|||
c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
|
||||
c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
|
||||
}
|
||||
|
||||
|
||||
if ( c$ssl?$cert_chain )
|
||||
{
|
||||
c$ssl$cert_chain_sha1s = string_vec();
|
||||
for ( i in c$ssl$cert_chain )
|
||||
c$ssl$cert_chain_sha1s[i] = c$ssl$cert_chain[i]$x509$sha1;
|
||||
}
|
||||
|
||||
if ( c$ssl?$client_cert_chain )
|
||||
{
|
||||
c$ssl$client_cert_chain_sha1s = string_vec();
|
||||
for ( i in c$ssl$client_cert_chain )
|
||||
c$ssl$client_cert_chain_sha1s[i] = c$ssl$client_cert_chain[i]$x509$sha1;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue