Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Small rework with ssl base script to reduce memory usage.

Browse source 
- We are now removing the SSL analyzer after logging the session
  infomrtion.  This seems to help a lot with overly high memroy
  consumption.
This commit is contained in:
Seth Hall 2011-09-16 23:47:04 -04:00
parent 436bd9d6a2
commit 123a3bd4e3
1 changed files with 24 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

36
scripts/base/protocols/ssl/main.bro
View file

@ -18,16 +18,21 @@ export {
cert: string &optional; cert: string &optional;
cert_chain: vector of string &optional; cert_chain: vector of string &optional;
## This stores the analyzer id used for the analyzer instance attached
## to each connection. It is not used for logging since it's a
## meaningless arbitrary number.
analyzer_id: count &optional;
}; };
## This is where the default root CA bundle is defined. By loading the ## This is where the default root CA bundle is defined. By loading the
## mozilla-ca-list.bro script it will be set to Mozilla's root CA list. ## mozilla-ca-list.bro script it will be set to Mozilla's root CA list.
const root_certs: table[string] of string = {} &redef; const root_certs: table[string] of string = {} &redef;
## This determines if the c$ssl record is deleted after the record is ## If true, detach the SSL analyzer from the connection to prevent
## logged. You probably want this to be deleted since it contains ## continuing to process encrypted traffic. Helps with performance
## the full certificate and all of the chain certificates in it. ## (especially with large file transfers).
const delete_certs_after_logging = T &redef; const disable_analyzer_after_detection = T &redef;
global log_ssl: event(rec: Info); global log_ssl: event(rec: Info);
@ -71,17 +76,11 @@ function set_session(c: connection)
c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector()]; c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector()];
} }
function finish(c: connection, violation: bool) function finish(c: connection)
{ {
Log::write(SSL::LOG, c$ssl); Log::write(SSL::LOG, c$ssl);
if ( delete_certs_after_logging ) if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
{ disable_analyzer(c$id, c$ssl$analyzer_id);
if ( c$ssl?$cert )
delete c$ssl$cert;
if ( c$ssl?$cert_chain )
delete c$ssl$cert_chain;
}
if ( violation )
delete c$ssl; delete c$ssl;
} }
@ -134,12 +133,19 @@ event ssl_established(c: connection) &priority=5
event ssl_established(c: connection) &priority=-5 event ssl_established(c: connection) &priority=-5
{ {
finish(c, F); finish(c);
}
event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
{
# Check by checking for existence of c$ssl record.
if ( c?$ssl && analyzer_name(atype) == "SSL" )
c$ssl$analyzer_id = aid;
} }
event protocol_violation(c: connection, atype: count, aid: count, event protocol_violation(c: connection, atype: count, aid: count,
reason: string) &priority=5 reason: string) &priority=5
{ {
if ( c?$ssl ) if ( c?$ssl )
finish(c, T); finish(c);
} }