From e9baddfd6b3e2124373ed225f1b5df1b279455a8 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 15 Jun 2015 11:05:04 -0700 Subject: [PATCH 001/288] add a file analyzer to parse ocsp request and response add two events: ocsp_request and ocsp_response --- scripts/base/files/ocsp/README | 1 + scripts/base/files/ocsp/__load__.bro | 1 + scripts/base/files/ocsp/main.bro | 11 + scripts/base/init-bare.bro | 44 ++ scripts/base/init-default.bro | 1 + src/SerialTypes.h | 2 + src/Type.h | 2 + src/file_analysis/analyzer/CMakeLists.txt | 1 + .../analyzer/ocsp/CMakeLists.txt | 10 + src/file_analysis/analyzer/ocsp/OCSP.cc | 637 ++++++++++++++++++ src/file_analysis/analyzer/ocsp/OCSP.h | 66 ++ src/file_analysis/analyzer/ocsp/Plugin.cc | 25 + src/file_analysis/analyzer/ocsp/events.bif | 23 + src/file_analysis/analyzer/ocsp/types.bif | 4 + src/main.cc | 6 +- 15 files changed, 833 insertions(+), 1 deletion(-) create mode 100644 scripts/base/files/ocsp/README create mode 100644 scripts/base/files/ocsp/__load__.bro create mode 100644 scripts/base/files/ocsp/main.bro create mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt create mode 100644 src/file_analysis/analyzer/ocsp/OCSP.cc create mode 100644 src/file_analysis/analyzer/ocsp/OCSP.h create mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc create mode 100644 src/file_analysis/analyzer/ocsp/events.bif create mode 100644 src/file_analysis/analyzer/ocsp/types.bif diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README new file mode 100644 index 0000000000..beabe8a3fc --- /dev/null +++ b/scripts/base/files/ocsp/README @@ -0,0 +1 @@ +Support for ocsp file analysis framework. diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/files/ocsp/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro new file mode 100644 index 0000000000..1b3dfdeffc --- /dev/null +++ b/scripts/base/files/ocsp/main.bro @@ -0,0 +1,11 @@ +@load base/frameworks/files +@load base/utils/paths + +module FileOCSP; + +export { + ## add one more argument to indicate is ocsp response or request + redef record Files::AnalyzerArgs += { + ocsp_type: string &optional; + }; +} diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 23f4fd43dd..fdc05f2df4 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2927,6 +2927,50 @@ export { }; } + +module OCSP; +export { + type OneReq: record { + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; + #RequestExtensions: xxx + }; + type Request: record { + version: count &log &optional; + requestorName: string &log &optional; + requestList: vector of OneReq; + #requestExtensions: xxx + }; + type SingleResp: record { + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; + certStatus: string &log; + thisUpdate: string &log; + nextUpdate: string &log &optional; + #Extensions: xxx + }; + type Response: record { + responseStatus: string &log; + responseType: string &log; + version: count &log; + responderID: string &log; + producedAt: string &log; + responses: vector of SingleResp; + #responseExtensions:xxx + signatureAlgorithm: string &log; + signature: string; #&log; + }; + } + +module GLOBAL; +type ocsp_req_vec: vector of OCSP::OneReq; +type ocsp_resp_vec: vector of OCSP::SingleResp; + + module SOCKS; export { ## This record is for a SOCKS client or server to provide either a diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 473d94fc84..61cd41a189 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -65,6 +65,7 @@ @load base/files/extract @load base/files/unified2 @load base/files/x509 +@load base/files/ocsp @load base/misc/find-checksum-offloading @load base/misc/find-filtered-trace diff --git a/src/SerialTypes.h b/src/SerialTypes.h index cf2c52a08b..6b81227464 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -115,6 +115,8 @@ SERIAL_VAL(CARDINALITY_VAL, 22) SERIAL_VAL(X509_VAL, 23) SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24) SERIAL_VAL(COMM_DATA_VAL, 25) +SERIAL_VAL(OCSP_REQ_VAL, 26) +SERIAL_VAL(OCSP_RESP_VAL, 27) #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR) SERIAL_EXPR(EXPR, 1) diff --git a/src/Type.h b/src/Type.h index f902b0d907..3f886f55dc 100644 --- a/src/Type.h +++ b/src/Type.h @@ -627,6 +627,8 @@ extern OpaqueType* cardinality_type; extern OpaqueType* topk_type; extern OpaqueType* bloomfilter_type; extern OpaqueType* x509_opaque_type; +extern OpaqueType* ocsp_req_opaque_type; +extern OpaqueType* ocsp_resp_opaque_type; // Returns the Bro basic (non-parameterized) type with the given type. // The reference count of the type is not increased. diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index 225504c56a..bd5428a49e 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -4,3 +4,4 @@ add_subdirectory(hash) add_subdirectory(pe) add_subdirectory(unified2) add_subdirectory(x509) +add_subdirectory(ocsp) \ No newline at end of file diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt new file mode 100644 index 0000000000..d1cff9d157 --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro OCSP) +bro_plugin_cc(OCSP.cc Plugin.cc) +bro_plugin_bif(events.bif types.bif) +bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc new file mode 100644 index 0000000000..08df3e4ce6 --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -0,0 +1,637 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include + +#include "OCSP.h" +#include "Event.h" + +#include "events.bif.h" +#include "types.bif.h" + +#include "file_analysis/Manager.h" + +#include +#include +#include +#include + +using namespace file_analysis; + +IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); +IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL); + +#define OCSP_STRING_BUF_SIZE 2048 + +//this function is copied from src/file_analysis/analyzer/extract/Extract.cc +static Val* get_extract_field_val(RecordVal* args, const char* name) + { + Val* rval = args->Lookup(name); + if ( ! rval ) + reporter->Error("File extraction analyzer missing arg field: %s", name); + return rval; + } + +//convert different ANS1 type to c string +static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type) + { + if (data == NULL || buf == NULL || buf_len <=0) + return -1; + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + memset(buf, 0, buf_len); + + if (type == V_ASN1_OCTET_STRING) + { + if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_OCTET_STRING) <= 0) + goto err; + } + else if (type == V_ASN1_BIT_STRING) + { + if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_BIT_STRING) <= 0) + goto err; + } + else if (type == V_ASN1_INTEGER) + { + if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) + goto err; + } + else if (type == V_ASN1_OBJECT) + { + if (i2a_ASN1_OBJECT(bio, (ASN1_OBJECT *)data) <= 0) + goto err; + } + else if (type == V_ASN1_GENERALIZEDTIME) + { + // TODO: convert ASN1_GENERALIZEDTIME to epoch time? + // new API: ASN1_TIME_diff() requires openssl 1.0.2 + // epoch time might be better for post processing + + // NOTE: this is for human readable time format + //if (!ASN1_GENERALIZEDTIME_print(bio, (ASN1_GENERALIZEDTIME *)data)) + // goto err; + + // NOTE: this is printing the raw string which is also understandable + // since this is smaller, let's keep ASN1_GENERALIZEDTIME as this for now? + ASN1_GENERALIZEDTIME *tmp = (ASN1_GENERALIZEDTIME *)data; + BIO_write(bio, tmp->data, tmp->length); + } + + else + goto err; + + new_len = BIO_read(bio, buf, buf_len); +err: + BIO_free_all(bio); + return new_len; + } + +//ANS1 OCTET string to c string +static int ASN1_OCTET_STRING_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_OCTET_STRING); + } + +//ANS1 BIT string to c string +static int ASN1_BIT_STRING_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_BIT_STRING); + } + +//ANS1 integer to c string +static int ASN1_INTEGER_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_INTEGER); + } + +//ANS1 object to c string +static int ASN1_OBJECT_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_OBJECT); + } + +//ASN1_GENERALIZEDTIME to c string +static int ASN1_GENERALIZEDTIME_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_GENERALIZEDTIME); + } + +//CENERAL XXX to c string +static int GENERAL_NAME_to_cstr(char *buf, int buf_len, void *data) + { + if (data == NULL || buf == NULL || buf_len <= 0) + return -1; + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + memset(buf, 0, buf_len); + if (GENERAL_NAME_print(bio, (GENERAL_NAME *)data) <= 0) + goto err; + new_len = BIO_read(bio, buf, buf_len); +err: + BIO_free_all(bio); + return new_len; + } + +//OCSP respond id to c string +static int OCSP_RESPID_to_cstr(char *buf, int buf_len, OCSP_RESPID *resp_id) + { + if (resp_id == NULL || buf == NULL || buf_len <= 0) + return -1; + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + memset(buf, 0, buf_len); + if (resp_id->type == V_OCSP_RESPID_NAME) + { + if (X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE) <=0) + goto err; + } + else if (resp_id->type == V_OCSP_RESPID_KEY) + { + if (i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING) <= 0) + goto err; + } + else + goto err; + new_len = BIO_read(bio, buf, buf_len); +err: + BIO_free_all(bio); + return new_len; + } + +//print out a cert id for debug +static void ocsp_print_cert_id(OCSP_CERTID *cid) + { + if (cid == NULL) + return; + char buf[OCSP_STRING_BUF_SIZE]; + int len = sizeof(buf); + memset(buf, 0, len); + int new_len = -1; + + //print hashAlgorithm + new_len = ASN1_OBJECT_to_cstr(buf, len, (void *)(cid->hashAlgorithm->algorithm)); + StringVal hashAlgorithm = StringVal(new_len, buf); + printf("[%d]hashAlgorithm: %s\n", new_len, hashAlgorithm.CheckString()); + + //print issuerNameHash + new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerNameHash)); + StringVal issuerNameHash = StringVal(new_len, buf); + printf("[%d]issuerNameHash: %s\n", new_len, issuerNameHash.CheckString()); + + //print issuerKeyHash + new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); + StringVal issuerKeyHash = StringVal(new_len, buf); + printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); + + //print serialNumber + new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); + StringVal serialNumber = StringVal(new_len, buf); + printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); + } + +//fill in cert id +static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d) + { + if (d == NULL || cert_id == NULL) + return; + char buf[OCSP_STRING_BUF_SIZE]; + int buf_len = sizeof(buf); + memset(buf, 0, buf_len); + + //hashAlgorithm + int len = -1; + len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(cert_id->hashAlgorithm->algorithm)); + if (len > 0) + d->Assign(0, new StringVal(len, buf)); + + //issuerNameHash + len = -1; + len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerNameHash)); + if (len > 0) + d->Assign(1, new StringVal(len, buf)); + + //issuerKeyHash + len = -1; + len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); + if (len > 0) + d->Assign(2, new StringVal(len, buf)); + + //serialNumber + len = -1; + len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); + if (len > 0) + d->Assign(3, new StringVal(len, buf)); + } + +file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) + { + Val* ocsp_type = get_extract_field_val(args, "ocsp_type"); + if (! ocsp_type ) + return 0; + return new OCSP(args, file, ocsp_type->AsString()->CheckString()); + } + +file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type) + : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file) + { + ocsp_type = arg_ocsp_type; + ocsp_data.clear(); + } + +bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len) + { + ocsp_data.append(reinterpret_cast(data), len); + return true; + } + +bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len) + { + return false; + } + +// parse OCSP request or response and send data to bro scriptland +bool file_analysis::OCSP::EndOfFile() + { + OCSP_REQUEST *req = NULL; + OCSP_RESPONSE *resp = NULL; + + const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); + + if (ocsp_type == "request") + { + req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); + if (!req) + { + reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); + goto ocsp_cleanup; + } + + //parse request into record + OCSP_REQVal* req_val = new OCSP_REQVal(req); + RecordVal* req_record = ParseRequest(req_val); + if (!req_record) + { + reporter->Weird(fmt("Internal fail to parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); + Unref(req_val); + goto ocsp_cleanup; + } + + // and send the record on to scriptland + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(req_val->Ref()); + vl->append(req_record->Ref()); + mgr.QueueEvent(ocsp_request, vl); + + Unref(req_val); + Unref(req_record); + } + else if (ocsp_type == "response") + { + resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); + if (!resp) + { + reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); + goto ocsp_cleanup; + } + + //parse request into record + OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); + RecordVal* resp_record = ParseResponse(resp_val); + if (!resp_record) + { + reporter->Weird(fmt("Internal fail to parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); + Unref(resp_val); + goto ocsp_cleanup; + } + + // and send the record on to scriptland + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(resp_val->Ref()); + vl->append(resp_record->Ref()); + mgr.QueueEvent(ocsp_response, vl); + + Unref(resp_val); + Unref(resp_record); + } + else + reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str())); +ocsp_cleanup: + //if (resp) + // OCSP_RESPONSE_free(resp); + //if (req) + // OCSP_REQUEST_free(req); + return false; +} + +// parse OCSP request and trigger event +RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) + { + if (req_val == NULL) + return NULL; + OCSP_REQUEST *req = NULL; + OCSP_ONEREQ *one_req = NULL; + OCSP_CERTID *cert_id = NULL; + OCSP_REQINFO *inf = NULL; + //OCSP_SIGNATURE *sig = NULL; + + RecordVal* ocsp_req_record = NULL; + VectorVal* all_req_bro = NULL; + + int req_count = -1, i = -1, len = -1; + long version = -1; + + req = req_val->GetReq(); + if (req == NULL) + return NULL; + + char buf[OCSP_STRING_BUF_SIZE]; + int buf_len = sizeof(buf); + memset(buf, 0, buf_len); + + inf = req->tbsRequest; + //sig = req->optionalSignature; + if (inf == NULL) + return NULL; + + ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); + if (!ocsp_req_record) + { + reporter->Error("Cannot create OCSP request structure: Internal memory error"); + return NULL; + } + + //version + version = ASN1_INTEGER_get(inf->version); + if (version != -1) + ocsp_req_record->Assign(0, new Val((uint64)version, TYPE_COUNT)); + + //requestorName + if (inf->requestorName != NULL) + { + len = -1; + len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName)); + if (len > 1) + ocsp_req_record->Assign(1, new StringVal(len, buf)); + } + + //deal with details of the request + req_count = OCSP_request_onereq_count(req); + if (req_count <= 0) + goto clean_up; + for (i=0; iAsVectorType()); + RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq); + + ocsp_fill_cert_id(cert_id, one_req_bro); + all_req_bro->Assign(all_req_bro->Size(), one_req_bro); + } + + if (all_req_bro != NULL) + ocsp_req_record->Assign(2, all_req_bro); +clean_up: + return ocsp_req_record; +} + +// parse OCSP response and trigger event +RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) + { + if (resp_val == NULL) + return NULL; + + OCSP_RESPONSE *resp = NULL; + OCSP_RESPBYTES *resp_bytes = NULL; + OCSP_CERTID *cert_id = NULL; + OCSP_BASICRESP *basic_resp = NULL; + OCSP_RESPDATA *resp_data = NULL; + OCSP_RESPID *resp_id = NULL; + OCSP_SINGLERESP *single_resp = NULL; + + //OCSP_CERTSTATUS *cst = NULL; + //OCSP_REVOKEDINFO *rev = NULL; + + RecordVal *ocsp_resp_record = NULL; + VectorVal *all_resp_bro = NULL; + + int resp_count = -1, status = -1, i = -1, len = -1; + long version = -1; + + resp = resp_val->GetResp(); + if (resp == NULL) + return NULL; + + char buf[OCSP_STRING_BUF_SIZE]; + int buf_len = sizeof(buf); + memset(buf, 0, buf_len); + + ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); + if (!ocsp_resp_record) + { + reporter->Error("Cannot create OCSP response structure: Internal memory error"); + return NULL; + } + + //responseStatus + status = OCSP_response_status(resp); + const char *status_str = OCSP_response_status_str(status); + ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); + + //responseType + resp_bytes = resp->responseBytes; + if (!resp_bytes) + goto clean_up; + len = -1; + len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(resp_bytes->responseType)); + if (len > 0) + ocsp_resp_record->Assign(1, new StringVal(len, buf)); + + //get the basic response + basic_resp = OCSP_response_get1_basic(resp); + if (!basic_resp) + goto clean_up; + resp_data = basic_resp->tbsResponseData; + if (!resp_data) + goto clean_up; + + //version + version = ASN1_INTEGER_get(resp_data->version); + if (version != -1) + ocsp_resp_record->Assign(2, new Val((uint64)version, TYPE_COUNT)); + + //responderID + resp_id = resp_data->responderId; + len = -1; + len = OCSP_RESPID_to_cstr(buf, buf_len, resp_id); + if (len > 0) + ocsp_resp_record->Assign(3, new StringVal(len, buf)); + + //producedAt + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(resp_data->producedAt)); + if (len > 0) + ocsp_resp_record->Assign(4, new StringVal(len, buf)); + + //responses + resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses); + if (resp_count <= 0) + goto clean_up; + for (i=0; iresponses, i); + if (!single_resp) + continue; + if (all_resp_bro == NULL) + all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); + RecordVal *single_resp_bro = new RecordVal(BifType::Record::OCSP::SingleResp); + + //cert id + cert_id = single_resp->certId; + ocsp_fill_cert_id(cert_id, single_resp_bro); + + //certStatus + const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); + single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); + + //thisUpdate + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->thisUpdate)); + if (len > 0) + single_resp_bro->Assign(5, new StringVal(len, buf)); + + //nextUpdate + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->nextUpdate)); + if (len > 0) + single_resp_bro->Assign(6, new StringVal(len, buf)); + + all_resp_bro->Assign(all_resp_bro->Size(), single_resp_bro); + } + if (all_resp_bro != NULL) + ocsp_resp_record->Assign(5, all_resp_bro); + + //signatureAlgorithm + if (basic_resp->signatureAlgorithm) + { + len = -1; + len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(basic_resp->signatureAlgorithm->algorithm)); + if (len > 0) + ocsp_resp_record->Assign(6, new StringVal(len, buf)); + } + //signature + if (basic_resp->signature) + { + len = -1; + len = ASN1_BIT_STRING_to_cstr(buf, buf_len, (void *)(basic_resp->signature)); + if (len > 0) + ocsp_resp_record->Assign(7, new StringVal(len, buf)); + } +clean_up: + return ocsp_resp_record; +} + +//OCSP_REQVal +OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type) + { + ocsp_req = arg_ocsp_req; + } + +OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type) + { + ocsp_req = NULL; + } + +OCSP_REQVal::~OCSP_REQVal() + { + if (ocsp_req) + OCSP_REQUEST_free(ocsp_req); + } + +OCSP_REQUEST* OCSP_REQVal::GetReq() const + { + return ocsp_req; + } + +bool OCSP_REQVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal); + unsigned char *buf = NULL; + int length = i2d_OCSP_REQUEST(ocsp_req, &buf); + if ( length < 0 ) + return false; + bool res = SERIALIZE_STR(reinterpret_cast(buf), length); + OPENSSL_free(buf); + return res; + } + +bool OCSP_REQVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal) + + int length; + unsigned char *ocsp_req_buf, *opensslbuf; + + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_req_buf), &length) ) + return false; + opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really. + ocsp_req = d2i_OCSP_REQUEST(NULL, const_cast(&opensslbuf), length); + delete[] ocsp_req_buf; + if ( !ocsp_req ) + return false; + return true; + } + + +//OCSP_RESPVal +OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) + { + ocsp_resp = arg_ocsp_resp; + } + +OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type) + { + ocsp_resp = NULL; + } + +OCSP_RESPVal::~OCSP_RESPVal() + { + if (ocsp_resp) + OCSP_RESPONSE_free(ocsp_resp); + } + +OCSP_RESPONSE* OCSP_RESPVal::GetResp() const + { + return ocsp_resp; + } + +bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal); + unsigned char *buf = NULL; + int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf); + if ( length < 0 ) + return false; + bool res = SERIALIZE_STR(reinterpret_cast(buf), length); + OPENSSL_free(buf); + return res; + } + +bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal) + + int length; + unsigned char *ocsp_resp_buf, *opensslbuf; + + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_resp_buf), &length) ) + return false; + opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really. + ocsp_resp = d2i_OCSP_RESPONSE(NULL, const_cast(&opensslbuf), length); + delete[] ocsp_resp_buf; + if ( !ocsp_resp ) + return false; + return true; + } diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/ocsp/OCSP.h new file mode 100644 index 0000000000..ecdba6582d --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/OCSP.h @@ -0,0 +1,66 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef FILE_ANALYSIS_OCSP_H +#define FILE_ANALYSIS_OCSP_H + +#include + +#include "Val.h" +#include "../File.h" +#include "Analyzer.h" + +#include +#include +#include + +namespace file_analysis { + +class OCSP_REQVal; +class OCSP_RESPVal; + +class OCSP : public file_analysis::Analyzer { +public: + virtual bool DeliverStream(const u_char* data, uint64 len); + virtual bool Undelivered(uint64 offset, uint64 len); + virtual bool EndOfFile(); + + static RecordVal *ParseResponse(OCSP_RESPVal *); + static RecordVal *ParseRequest(OCSP_REQVal *); + + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); + +protected: + OCSP(RecordVal* args, File* file, const string& ocsp_type); + +private: + std::string ocsp_data; + std::string ocsp_type; +}; + +class OCSP_REQVal: public OpaqueVal { +public: + explicit OCSP_REQVal(OCSP_REQUEST *); + ~OCSP_REQVal(); + OCSP_REQUEST *GetReq() const; +protected: + OCSP_REQVal(); +private: + OCSP_REQUEST *ocsp_req; + DECLARE_SERIAL(OCSP_REQVal); +}; + +class OCSP_RESPVal: public OpaqueVal { +public: + explicit OCSP_RESPVal(OCSP_RESPONSE *); + ~OCSP_RESPVal(); + OCSP_RESPONSE *GetResp() const; +protected: + OCSP_RESPVal(); +private: + OCSP_RESPONSE *ocsp_resp; + DECLARE_SERIAL(OCSP_RESPVal); +}; + +} + +#endif diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc new file mode 100644 index 0000000000..f7edbd1d6d --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/Plugin.cc @@ -0,0 +1,25 @@ +// See the file in the main distribution directory for copyright. + + +#include "plugin/Plugin.h" + +#include "OCSP.h" + +namespace plugin { +namespace Bro_OCSP { + +class Plugin : public plugin::Plugin { +public: + plugin::Configuration Configure() + { + AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); + + plugin::Configuration config; + config.name = "Bro::OCSP"; + config.description = "OCSP analyzer"; + return config; + } +} plugin; + +} +} diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/ocsp/events.bif new file mode 100644 index 0000000000..b956e2c12e --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/events.bif @@ -0,0 +1,23 @@ +## Generated for encountered OCSP request +## +## +## f: The file. +## +## req_ref: An opaque pointer to the underlying OpenSSL data structure of the +## OCSP request +## +## req: The parsed OCSP request information. +## +event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%); + +## Generated for encountered OCSP response +## +## +## f: The file. +## +## req_ref: An opaque pointer to the underlying OpenSSL data structure of the +## OCSP response +## +## req: The parsed OCSP response information. +## +event ocsp_response%(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response%); diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/ocsp/types.bif new file mode 100644 index 0000000000..e005f1274e --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/types.bif @@ -0,0 +1,4 @@ +type OCSP::Request: record; +type OCSP::Response: record; +type OCSP::OneReq: record; +type OCSP::SingleResp: record; \ No newline at end of file diff --git a/src/main.cc b/src/main.cc index 61cc35f198..be38f6ca39 100644 --- a/src/main.cc +++ b/src/main.cc @@ -131,6 +131,8 @@ OpaqueType* cardinality_type = 0; OpaqueType* topk_type = 0; OpaqueType* bloomfilter_type = 0; OpaqueType* x509_opaque_type = 0; +OpaqueType* ocsp_req_opaque_type = 0; +OpaqueType* ocsp_resp_opaque_type = 0; // Keep copy of command line int bro_argc; @@ -873,7 +875,9 @@ int main(int argc, char** argv) topk_type = new OpaqueType("topk"); bloomfilter_type = new OpaqueType("bloomfilter"); x509_opaque_type = new OpaqueType("x509"); - + ocsp_req_opaque_type = new OpaqueType("ocsp_req"); + ocsp_resp_opaque_type = new OpaqueType("ocsp_resp"); + // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is From d84d1d24e80e14d29bad8217261a1a4e1979d883 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 17 Jun 2015 19:18:37 -0700 Subject: [PATCH 002/288] add ocsp logging --- scripts/base/files/ocsp/main.bro | 233 +++++++++++++++++++++- scripts/base/init-bare.bro | 10 +- src/file_analysis/analyzer/ocsp/types.bif | 3 +- 3 files changed, 241 insertions(+), 5 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 1b3dfdeffc..a6b91529ba 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -1,11 +1,240 @@ @load base/frameworks/files @load base/utils/paths +@load base/utils/queue -module FileOCSP; +module OCSP; export { - ## add one more argument to indicate is ocsp response or request + ## add one more argument to tell ocsp response or request redef record Files::AnalyzerArgs += { ocsp_type: string &optional; }; + + ## ocsp logging + redef enum Log::ID += { LOG }; + + ## tyep for pending ocsp request + type PendingRequests: table[OCSP::CertId] of Queue::Queue; + + ## NOTE: one file could contain several requests + ## one ocsp request record + type Info_req: record { + ## time for the request + ts: time; + ## file id for this request + id: string &log; + ## version + version: count &log &optional; + ## requestor name + requestorName: string &log &optional; + ## NOTE: the above are for one file which may constain + ## several ocsp requests + ## request cert id + certId: OCSP::CertId &log &optional; + }; + + ## NOTE: one file could contain several response + ## one ocsp response record + type Info_resp: record { + ## time for the response + ts: time; + ## file id for this response + id: string &log; + ## responseStatus (different from cert status?) + responseStatus: string &log; + ## responseType + responseType: string &log; + ## version + version: count &log; + ## responderID + responderID: string &log; + ## producedAt + producedAt: string &log; + + ## NOTE: the following are specific to one cert id + ## the above are for one file which may contain + ## several responses + + ## certStatus (this is the response to look at) + certStatus: string &log &optional; + ## thisUpdate + thisUpdate: string &log &optional; + ## nextUpdate + nextUpdate: string &log &optional; + }; + + type Info: record { + ## timestamp for request if both request is present + ## OR timestamp for response if request is not found + ts: time &log; + req: Info_req &log &optional; + resp: Info_resp &log &optional; + }; + + ## Event for accessing logged OCSP records. + global log_ocsp: event(rec: Info); } + +redef record connection += { + ## keep track of pending requests received so for + ocsp_requests: PendingRequests &optional; + }; + +event bro_init() &priority=5 + { + Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); + } + +function get_http_info(f: fa_file, meta: fa_metadata) + { + if (f$source != "HTTP" || !meta?$mime_type) + return; + + # call OCSP file analyzer + if (meta$mime_type == "application/ocsp-request") + Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]); + else if (meta$mime_type == "application/ocsp-response") + Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]); + } + +event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5 + { + if (f$source == "HTTP") + get_http_info(f, meta); + } + +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 + { + local conn: connection; + local cid: conn_id; + + # there should be only one loop: one connection + for (id in f$conns) + { + cid = id; + conn = f$conns[id]; + } + + if (req?$requestList) + { + for (x in req$requestList) + { + local one_req = req$requestList[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, + $issuerNameHash = one_req$issuerNameHash, + $issuerKeyHash = one_req$issuerKeyHash, + $serialNumber = one_req$serialNumber]; + + local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id]; + + if (req?$version) + req_rec$version = req$version; + + if (req?$requestorName) + req_rec$requestorName = req$requestorName; + + if (!conn?$ocsp_requests) + conn$ocsp_requests = table(); + + if (cert_id !in conn$ocsp_requests) + conn$ocsp_requests[cert_id] = Queue::init(); + + Queue::put(conn$ocsp_requests[cert_id], req_rec); + } + } + else + { + # no request content? this is weird but log it anyway + local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id]; + if (req?$version) + req_rec_empty$version = req$version; + if (req?$requestorName) + req_rec_empty$requestorName = req$requestorName; + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]); + } + } + +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 + { + local conn: connection; + local cid: conn_id; + + # there should be only one loop + for (id in f$conns) + { + cid = id; + conn = f$conns[id]; + } + + if (resp?$responses) + { + for (x in resp$responses) + { + local single_resp: OCSP::SingleResp = resp$responses[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + if (single_resp?$nextUpdate) + resp_rec$nextUpdate = single_resp$nextUpdate; + + if (cert_id in conn$ocsp_requests) + { + # find a match + local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); + Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]); + if (Queue::len(conn$ocsp_requests[cert_id]) == 0) + delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? + } + else + { + # do not find a match; this is weird but log it + Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]); + } + } + } + else + { + # no response content? this is weird but log it anyway + local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt]; + Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]); + } + } + +function log_unmatched_msgs_queue(q: Queue::Queue) + { + local reqs: vector of Info_req; + Queue::get_vector(q, reqs); + + for ( i in reqs ) + Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]); + } + +function log_unmatched_msgs(msgs: PendingRequests) + { + for ( cert_id in msgs ) + log_unmatched_msgs_queue(msgs[cert_id]); + + clear_table(msgs); + } + +# need to log unmatched ocsp request if any +event connection_state_remove(c: connection) &priority= -5 + { + if (! c?$ocsp_requests) + return; + log_unmatched_msgs(c$ocsp_requests); + } diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index fdc05f2df4..a1dfe2ee06 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2961,8 +2961,14 @@ export { producedAt: string &log; responses: vector of SingleResp; #responseExtensions:xxx - signatureAlgorithm: string &log; - signature: string; #&log; + signatureAlgorithm: string &log &optional; + signature: string &optional; #&log; + }; + type CertId: record { + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; }; } diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/ocsp/types.bif index e005f1274e..8d8cb5dd9b 100644 --- a/src/file_analysis/analyzer/ocsp/types.bif +++ b/src/file_analysis/analyzer/ocsp/types.bif @@ -1,4 +1,5 @@ type OCSP::Request: record; type OCSP::Response: record; type OCSP::OneReq: record; -type OCSP::SingleResp: record; \ No newline at end of file +type OCSP::SingleResp: record; +type OCSP::CertId: record; From d1c568663ca58808e8d7b9a104efe094de121c74 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 19 Jun 2015 09:37:10 -0700 Subject: [PATCH 003/288] add btest and fix bug --- scripts/base/files/ocsp/main.bro | 19 ++++++++++-------- src/file_analysis/analyzer/ocsp/OCSP.cc | 8 +++++--- .../ocsp.log | 10 +++++++++ .../ocsp.log | 10 +++++++++ .../ocsp.log | 10 +++++++++ .../btest/Traces/tls/ocsp-request-only.pcap | Bin 0 -> 1207 bytes .../Traces/tls/ocsp-request-response.pcap | Bin 0 -> 3565 bytes .../btest/Traces/tls/ocsp-response-only.pcap | Bin 0 -> 3054 bytes .../base/protocols/ssl/ocsp-request-only.test | 4 ++++ .../protocols/ssl/ocsp-request-response.test | 4 ++++ .../protocols/ssl/ocsp-response-only.test | 4 ++++ 11 files changed, 58 insertions(+), 11 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log create mode 100644 testing/btest/Traces/tls/ocsp-request-only.pcap create mode 100644 testing/btest/Traces/tls/ocsp-request-response.pcap create mode 100644 testing/btest/Traces/tls/ocsp-response-only.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index a6b91529ba..7417c6f6fb 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -30,7 +30,7 @@ export { ## NOTE: the above are for one file which may constain ## several ocsp requests ## request cert id - certId: OCSP::CertId &log &optional; + certId: OCSP::CertId &optional; }; ## NOTE: one file could contain several response @@ -54,7 +54,8 @@ export { ## NOTE: the following are specific to one cert id ## the above are for one file which may contain ## several responses - + ##cert id + certId: OCSP::CertId &optional; ## certStatus (this is the response to look at) certStatus: string &log &optional; ## thisUpdate @@ -67,8 +68,9 @@ export { ## timestamp for request if both request is present ## OR timestamp for response if request is not found ts: time &log; - req: Info_req &log &optional; - resp: Info_resp &log &optional; + certId: OCSP::CertId &log &optional; + req: Info_req &log &optional; + resp: Info_resp &log &optional; }; ## Event for accessing logged OCSP records. @@ -181,23 +183,24 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt, + $certId = cert_id, $certStatus = single_resp$certStatus, $thisUpdate = single_resp$thisUpdate]; if (single_resp?$nextUpdate) resp_rec$nextUpdate = single_resp$nextUpdate; - if (cert_id in conn$ocsp_requests) + if (conn?$ocsp_requests && cert_id in conn$ocsp_requests) { # find a match local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]); + Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]); if (Queue::len(conn$ocsp_requests[cert_id]) == 0) delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? } else { # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]); + Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]); } } } @@ -220,7 +223,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue) Queue::get_vector(q, reqs); for ( i in reqs ) - Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]); + Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]); } function log_unmatched_msgs(msgs: PendingRequests) diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index 08df3e4ce6..ea90967cfc 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -52,6 +52,8 @@ static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type) } else if (type == V_ASN1_INTEGER) { + // NOTE: this will print the hex number + // wireshark may display decimal number if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) goto err; } @@ -183,7 +185,7 @@ static void ocsp_print_cert_id(OCSP_CERTID *cid) printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); //print serialNumber - new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); + new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber)); StringVal serialNumber = StringVal(new_len, buf); printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); } @@ -217,7 +219,7 @@ static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d) //serialNumber len = -1; - len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); + len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber)); if (len > 0) d->Assign(3, new StringVal(len, buf)); } @@ -387,7 +389,7 @@ RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType()); RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq); - ocsp_fill_cert_id(cert_id, one_req_bro); + ocsp_fill_cert_id(cert_id, one_req_bro); all_req_bro->Assign(all_req_bro->Size(), one_req_bro); } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log new file mode 100644 index 0000000000..9881f143c1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-06-19-16-32-33 +#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time string string string string string count string string string string count string string string string string +1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - +#close 2015-06-19-16-32-33 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log new file mode 100644 index 0000000000..b21cadda9a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-06-19-16-32-23 +#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time string string string string string count string string string string count string string string string string +1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-06-19-16-32-23 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log new file mode 100644 index 0000000000..f5a5c43c7c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-06-19-16-32-39 +#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time string string string string string count string string string string count string string string string string +1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-06-19-16-32-39 diff --git a/testing/btest/Traces/tls/ocsp-request-only.pcap b/testing/btest/Traces/tls/ocsp-request-only.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1d4e85da0796981c6b52571c94741d32a9dd0f0f GIT binary patch literal 1207 zcmZvcQAiVU9LN8gbFPckW)=}8M-OSb?QVISYpa+pb%f=}EleS~ZvV||x4UyY$CMsM zg7i>5_0*FEq6M{@;!6Zk1ZL?&7(Hi6M2Nj4Q7`@fH{9jiaew&V@Bia-pZov6+{)|1 zeLXM$?J@uzdXT%uBOfCGoI`Uwz_FX(Zr`{i_b*tln?MHurvgv>z;9f+`f|pY3{KZ> zOw@x=W9t(JH&5zQmZ3KQ=nd6#2EB;@#QHs4*Hu;3VDhhmMlLdo{300uKX4iwteA@F zAT&|GIK6%i(Or|Z2PVlijeIF{cOKKX$X8|oXh(0tV}~;n$g9qLnX?Pg6FCc5gJI;T zQ+*4Vj9uI20N6lVf=4+~_c`zs6F)q!NIVGEh_UU&P)~1|q{v`69HN{Kr$`OJlqsu$0R|lZ|~&r;qG}Q7Ogx$ZlR7$&y)* zd(h4J$W+GL;&IT&$u7txBZ?~vMlf% ztMHOYWpSlBTV72HzTwlfOjt7qzWZ1>E?7UqJX z&j0E~!=3lcIQ^jI(_dls=bSCKtgkU0p0F=GdW(<$&t6?AP&=Z^j85UGK2DcKHPP6b zUqyj(N6!?GABAZd#k7Elt92T&JWzlMJX0eY-yW#^>f-cfPtKw<^-HBdy~9*Y?Axyq zD>%-mj`DWL%^ua!3fu#icRGS28nJ?7L3NB(a179KWM|T>1x>LwBP9 literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tls/ocsp-request-response.pcap b/testing/btest/Traces/tls/ocsp-request-response.pcap new file mode 100644 index 0000000000000000000000000000000000000000..77306ea1902a40af35750385c92707a79227a672 GIT binary patch literal 3565 zcmc(idsGuw9>-^r5Fi)ee?^Q528V>T35+C=b!@p0oSM=H#9;_jm7n z<~#TIojbp2I#|1wg>kU%9|yxx#}+>)_4`x|8;g#ah7FtF{Fl;2w#i3)XL(?881{~O zYcv+kZOUq>;pQf6=+{~vh-pG1w#t~vRV=%Y>2Dau;<(juSROo#cW(s~$JuOmhWxm; zo7}T0D-K2C#Bks~$%a9qZsyYm7MN7i8-bDPWdOJfrv*)$M0PH5O z=w+fNMXLj1kf76P#6%du=Oxe%rxMV5hb=6dHjoBGVVIuIHLm~^DCAS+vPfXhS4tIOa5#vk^f|Ox0ttxz1Q=ts zQ%1T#%nb5*D!rbvA*z!qaEeXNT#Jyj*(_!~=`_<;aRCzvE$AK1wM0&jf?*?tBg7+I zM~Y66D2cRY=aJcz5>QrAs#Zu@T@%8)Cd66ww83o6R)XvzvrPyLl+i*uDLzk4Tb<|z zMM;!3+i6mQ2w8VbS7<}Tp30at64|Ngd6dKHnrEf-jASLqp(vY(w3zb|lh1<*a14xv zF)$i>a@|7vvRMP%Fi!tn9{j16ocz0j8;bQ$j9xVpq_Xjx{?P~OgDVPSB_(@A90 zT85a}AIFAyA}^uVo9G!(Sj`aERlJrMfXPF5y-e(M5|BU$QpWLlv1n4MPqTp`HKb2w4X@==2!)=Ik2FHUK#nw$ zP%1G*D2$SDD4~opV|chhFPAEU_&kkNqXcSAR8V598pLWfK%FuHB&j9>b?OA5icJQw zacMxON(36M3bj~}n5IH479=EUK?<6qRV4#WY79tb@JRGYk<+h^3yIjvuF7D>$4so1Q%Dsd_7huV+ zYl~n3;f0LPPUUa~tW+)G1N$-^4}rVNZZ4v&Bq4ylOvGKl)9Pub(_tVj6!8WWFhQQ6 zPdpvVY(pT?st+SV;czC*76ir9pd+5vkxcaD0ac#UMBB~ILLdV1k^pbUX;4lmBoZi< z$|l42py_{q3X8EXET`t6xlN8t&<4L9z6Qp71gljgT`$(!Wy%_FHN6R+rZ zmMvacG0)F=$^SH|Wj9}gNAOCHDdq42@oZkjbkm*2wZSV!JNuu{KNq<3!KlR=(;)xd z4c`n|G?6`16PvN|%z+iFXBJt)-CM_ICVw+2r6J`e@ode=aO=^U$7wUQ$#q z*TF!4K60Iuki!Uwev?sG-lO~fdmdmZ9@KM{Jg$Z)$eg+%SSDn)x&wG8bVs{>lU><{OH`HP2Q7KqVYeJ z)ZfY>z?`M6&)mrDgKZauvYMos_Y>FgO>yJ0&Nq#lxBl7T{Ral$4!L`MZbW6<={DQR zl-<5ZC#^m(mDSK*`TePrs}$Q}u6XBU$d;BJd9>(jH>`Pn8&$VFK+OAKWAl_o?TvL2 zs-0O+>6ktNnSq~`HF@rl4E3I+_uW{mI=<KTdzo zl)JoDkN5QpXf_U5dWKqAX|G%by}NfyHx3JVJ&D1+&546*sHz%W6;&SDX;8c6kL;O? z-d&Xa_bN?db~y4-Q4^-OTi{rR1~`ZXM{~WVl_%ik&vS8ie;oNStWzZm_Y3;Z7wKsj z^iaC?v4w)OSkTbg;OgC0=|5M75$=tNH|pcRuuhmXx3K!fzAa1DhWpBKPcNje9N3V! z#HRYiHszpU?&X$yi=z}_OAB`l@!#C?u=PpXSg%b(f{)BTnt$r}0^@>VS$i%YI`?A! z2N*p)Bl31s_VYe>R}Q|!vt`b>nB7!8d&#j`_dd=2ZF0J2%XgTxt+8FWsJ#m_$yi-n<^B?EQ4 zyw_)q`n3N25@IM*HC;nh)4wU~zj77!*)Nyj+pZnk(4JE4gL_P-yUOt6OfAL`C%w^4 z>|KXpvceiyWoLW24r@Uy4I!9_!^CxVqc^&r%U6B kPK`bV-Ne^u{L-b7?xhiZhHbmfRG%3^T^etr>hr|E0KMCyO8@`> literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tls/ocsp-response-only.pcap b/testing/btest/Traces/tls/ocsp-response-only.pcap new file mode 100644 index 0000000000000000000000000000000000000000..63fbdde25a3589aa5aef7fa96eec83ca7978aa94 GIT binary patch literal 3054 zcmc(hdsGuw9>-^r5JE5p2nDKzj;sjE>rN5^#-fBk0p*dJfFi6qB!Q%aOqv7~lok;2 zQ5Rd0)`}jXRiKJuQCVAyBDxh7(N(I}>ek|eDldg2wYu89laz<(?w+&%?3{DYnftrH z`P}c^`QAIfjuQ=4G=zbSUJL|<9YfTr#P1UkWG=j?8ZvEd*I$Y@7#6iUu4EyR2=bP6 zUl_}^_WoAX!IQ5r!ATpoeeL^a^l4f+!{0%{944Z=t8jFpvd$&??luoy$$d4LE z$yTP7ZzUs07=kms9VseBM`R@)XKH%ih4i3GCznd>&L}x4XLBP(A0{t8fFR*;CaS%p zStzZyXx5I?90ci^1rEp^wE}8HEqWU$GNtti7abwKq*a)^i_*H+G)`-#PjG!FB#KnC ztwcy`hdLW5VyZKWOtXXXU>i@gbIYx!h&xMPNpwR*zKt&uqZJBSARd5Yd;qY7c^q~G zVOEPVg(lk%!$YvS*?KsF2Vs1^SRfShg;-Rag2R@pjX7$g7?T(XrAEzROG&+1tvCBC zjD+5lt~UBd>XoEQtIrT);aWXm%!MgbrazTvBz0mei&*YYWT-=NJ}waP{V+pznog_q z!}O%T*#aSrS$oROb*ntqSVmuww}rh=b^Kty=YJnLq%QT4hEqH)xG&lNgf| zWQX~lR zzbL5gZOqLjq#YRS9iSaS;`8X_Il7z_>5{MsO&seoS!>kcwcyNfw64k4fW-X}~ zV@e%q8oThh2Kdzog8?ogL1hGzN|OODoykDzsYDJN6fuX`C{kI(?1#7AOgmpDYGY#y zP?S-`ybeQGLE&#zd0;ti5A2xqLGuFPKh+={(OU60^pWtRE9<#3b2f4QbSxb1{D` zitomyoCZXA2%irG0^uU?F3^B5D8|NjBAqtL24OfivN%h0nK|9O+abFir`y-g7YO4S z&S5Q0-lc8ARp4{Mm8ZG`4-Wbjw9{-^Z~x7($%o>Wzzn4(h6ytsbHo#YRvtfp7p zu1p^IrS|6z*JaOdWqKXG+*r7ID1_BCyKnmbqqQk*VP~fg)^fd-`%{0OjYfMn-|qb+ zk5O_l$>q?d*NL-rGu4k5+*BSa-dIt(#>ITy^#UQMcXfhRw49+yIJGV?pI!Q%=6+k1 z_trUP=PNmvJq|sXy-}udcRk$v&D0GG=qqFqDZ4MWY~8*hPZwm{KQ}e*n}rF@33u?P zJ3eNECHuDg{o})Hw3S7Slc0#v4BNM$h`zIuPD5!lmS1h&gJ|6a4=`rQ>}?QGc<_I6 z&LrSwb&lg7&IwSGaO+#_;}3kPF?-%rjoEAv2L>wDMzbj(gH%x#qY?v+Y6EG~nn`1B zAT9v7)on9I+$L8mvyEy@3ZH{#2HYF!ajpX%t{mt(0WJc;0A7n=S2U*k|Jx6s2=yGh z#;C=XTm;71G|Hc+mXkg$gWTeG-nqXtcHsS0gKg7l914m3Z+C<~x%45UO%*!P-LR)xC{n2u#_#fzPpEvbOoF2{U`KYH( zI-PyK*{8oxv7zVTN0$fpa2HDa<9{e@x|@k(tIGPH+7KBh2Cn%DYhzdR#q8v0BIl)D z>6o`>*V9wSTc+Ie>Atl(xP0KkfT2C%u;b~4+gp~p`kgYfG50>f$=9YxSDicovFBDP=x{PgZT6#bn+1Bm6&a_3S#2A#%i2JY0T z7sCZOGg;PykB*Mq*;$7tGF%wWb_w0=ZI6yQxpk#aD!ZtzC^wdG1KiQm(uP5UUXP`4 zZ!#i*6i6!PRECz!8aAj=_wVeP1^-=Y;~(DTYfYwX_=5~k8g*bUMZ*}71?DjAmzG4M zCC{=@TUQkNF<@9F4R!JS?~{x*4BV8Kb8J2D65{FA;9Y%KFZgFg0B+kBbGs?(3;q0s zt8=TLAKP0dRrQJIJ-M1(F}XQrlR@&UVetvo>Ki@18$&|^%5o1(b*<}p*#CH7uKk{= z-mUqkbIzY#m%eUV+L0S4FF#-V0Ybi)GV5Mw#G`miPO-hbvyo|xofL=5=-2hWNx4e^c*f}7Pu?@ZgCr}>9{=9RrU z!G2bqrtVB(zv6Y}j=e{&f2ETvkMWL^<*~O|M>|{lO6~KKpPrl#KdngY$^A*5@~yw^ zm8Fk`apyvQ`4Qjf=Ud00tZ3x!N}K&@)BA Date: Fri, 19 Jun 2015 15:01:31 -0700 Subject: [PATCH 004/288] add function to get hash of cert issuer name --- scripts/base/files/ocsp/main.bro | 8 +- src/file_analysis/analyzer/x509/functions.bif | 87 +++++++++++++++++++ 2 files changed, 91 insertions(+), 4 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 7417c6f6fb..602f23bcc5 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -13,7 +13,7 @@ export { ## ocsp logging redef enum Log::ID += { LOG }; - ## tyep for pending ocsp request + ## type for pending ocsp request type PendingRequests: table[OCSP::CertId] of Queue::Queue; ## NOTE: one file could contain several requests @@ -27,7 +27,7 @@ export { version: count &log &optional; ## requestor name requestorName: string &log &optional; - ## NOTE: the above are for one file which may constain + ## NOTE: the above are for one file which may contain ## several ocsp requests ## request cert id certId: OCSP::CertId &optional; @@ -65,8 +65,8 @@ export { }; type Info: record { - ## timestamp for request if both request is present - ## OR timestamp for response if request is not found + ## timestamp for request if a corresponding request is present + ## OR timestamp for response if a corresponding request is not found ts: time &log; certId: OCSP::CertId &log &optional; req: Info_req &log &optional; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 216f4c69cc..bb04f27ed8 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -537,3 +537,90 @@ x509_verify_chainerror: return rrecord; %} + +## Get the hash of issuer name of a certificate +## +## cert: The X509 certificate opaque handle. +## +## hash_alg: the hash algorithm to use +## +## Returns: A string of hash of issuer name. +## +## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## x509_ext_subject_alternative_name x509_parse +## x509_get_certificate_string x509_verify +function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string + %{ + assert(cert); + assert(hash_alg); + + file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + X509 *cert_x509 = cert_handle->GetCertificate(); + if (cert_x509 == NULL) + { + builtin_error("cannot get cert from opaque"); + return NULL; + } + + X509_NAME *issuer_name = NULL; + StringVal *issuer_name_str = NULL; + issuer_name = X509_get_issuer_name(cert_x509); + if (issuer_name == NULL) + { + builtin_error("fail to get issuer name from certificate"); + return NULL; + } + + const char* h = hash_alg->CheckString(); + if (h == NULL) + { + builtin_error("fail to get hash algorithm from input"); + return NULL; + } + + const EVP_MD *dgst; + if (strcmp(h, "sha1") == 0) + dgst = EVP_sha1(); + else if (strcmp(h, "sha224") == 0) + dgst = EVP_sha224(); + else if (strcmp(h, "sha256") == 0) + dgst = EVP_sha256(); + else if (strcmp(h, "sha384") == 0) + dgst = EVP_sha384(); + else if (strcmp(h, "sha512") == 0) + dgst = EVP_sha512(); + else + { + reporter->Error("Unknown digest!"); + return NULL; + } + if (dgst == NULL) + { + builtin_error("fail to allocate digest"); + return NULL; + } + + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int len = 0; + ASN1_OCTET_STRING *oct_str = ASN1_STRING_type_new(V_ASN1_OCTET_STRING); + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + char buf[1024]; + memset(buf, 0, sizeof(buf)); + + if (!X509_NAME_digest(issuer_name, dgst, md, &len)) + goto err; + if (!ASN1_OCTET_STRING_set(oct_str, md, len)) + goto err; + if (i2a_ASN1_STRING(bio, oct_str, V_ASN1_OCTET_STRING) <= 0) + goto err; + new_len = BIO_read(bio, buf, sizeof(buf)); + if (new_len > 0) + issuer_name_str = new StringVal(new_len, buf); + + //NOTE: the result string may contain "\\x0a" for sha384 and sha512 + // probably need to remove it from here? +err: + BIO_free_all(bio); + return issuer_name_str; + %} From 2743966fcc8628e525996eb2d3cab0dc1f2463e8 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 1 Jul 2015 17:00:41 -0700 Subject: [PATCH 005/288] add a script to combine ocsp with ssl --- .../policy/protocols/ssl/ocsp-measurement.bro | 467 ++++++++++++++++++ 1 file changed, 467 insertions(+) create mode 100644 scripts/policy/protocols/ssl/ocsp-measurement.bro diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro new file mode 100644 index 0000000000..a426e7e048 --- /dev/null +++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro @@ -0,0 +1,467 @@ +#! Match OCSP request and response to SSL connection for performance analysis + +@load base/protocols/http +@load base/frameworks/files +@load base/files/x509 +@load base/protocols/ssl +@load base/utils/queue + +module OCSP_MEASUREMENT; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## cert id for the OCSP request + cert_id: OCSP::CertId &log &optional; + + ## request + ## NOTE: this is only one request if multiple requests + ## are sent together in one HTTP message, they will be + ## logged separately + req: OCSP::Info_req &log &optional; + + ## response + ## NOTE: similar to request, if multiple responses are + ## sent together in one HTTP message, they will be + ## logged separately + resp: OCSP::Info_resp &log &optional; + + ## HTTP connection uid + cuid: string &log; + + ## for 1st request, this is the time between first TCP + ## SYN and resp_ts; for the rest of the requests in + ## the same connection, this is the time btween req_ts + ## and res_ts + delay: interval &log &optional; + + ## the size of HTTP request body + req_size: count &log &optional; + + ## the size of HTTP request header + req_hdr_size: count &log &optional; + + ## the size of HTTP response body + resp_size: count &log &optional; + + ## the size of HTTP response header + resp_hdr_size: count &log &optional; + + ## the HTTP code in the HTTP response + http_code: count &log &optional; + + ## OCSP host, this is host in HTTP request + host: string &log; + + ## OCSP uri, this is uri in HTTP request + uri: string &log; + + ## number of ocsp requests in this connection + ## including this one + num_ocsp: count &log &optional; + + ## the time when the corresponding certificate is + ## received + cert_recv_ts: time &log &optional; + + ## SSL connection uid + ssl_cuid: string &log &optional; + + ## SSL connection id + ssl_cid: conn_id &optional; + + ## the time when client receives change cipher message + ## from server + ssl_change_cipher_ts: time &log &optional; + + ## the time when SSL connection is established + ssl_establish_ts: time &log &optional; + }; + + ## - map to OCSP_MEASUREMENT::Info + ## - indexed by source ip(addr), ocsp uri(string), issuer name + ## hash(string), serialNumber(string) + ## - is it possible server sends two same certificate? To be + ## safe, let's use a queue to store OCSP_MEASUREMENT::Info + type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins; + + ## a group of constant string for hash algorithm + ## to save memory, remove any unseen hash algorithm + global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); + + ## Event from a worker to the manager that it has encountered + ## an OCSP response + global new_ocsp_info: event(c: connection) &redef; + + ## Event from the manager to the workers that a new OCSP info + ## is to be added. + global ocsp_info_add: event(c: connection); +} + +# by different hash algorithm, OCSP_Mapping +global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping; + +# track number of ocsp requests in this connection +redef record connection += { + num_ocsp: count &optional &default=0; + }; + +# add additional information to http info +redef record HTTP::Info += { + ## header length + request_header_len: count &optional &default=0; + response_header_len: count &optional &default=0; + + ## OCSP file id + ocsp_request_fuid: string &optional; + ocsp_response_fuid: string &optional; + + ## OCSP request and response timestamp + ocsp_request_ts: time &optional; + ocsp_response_ts: time &optional; + + ## store OCSP requests and responses + ocsp_request: OCSP::Request &optional; + ocsp_response: OCSP::Response &optional; +}; + +# add additional information to ssl info +redef record SSL::Info += { + ## connection start time + connection_start_ts: time &optional; + + ## client hello time + client_hello_ts: time &optional; + + ## ssl connection establish time + ssl_establish_ts: time &optional; + + ## the time when server sends change-cipher-spec + change_cipher_ts: time &optional; + + ## - the time when a cert is received AND the cert has ocsp + ## extension + ## - the 2nd level table indexed by source ip(addr), ocsp + ## uri(string), issuer name hash(string), serialNumber + ## (string) + ## - the 1st level table indexed by different hash algorithm + ## for issuer name hash + ## - is it possible a server sends two same certificate? To be + ## safe, let's use a queue to store the time + cert_ts: table[string] of table[addr, string, string, string] of Queue::Queue &optional; +}; + +# set up cluster event +@if ( Cluster::is_enabled() ) +@load base/frameworks/cluster +redef Cluster::manager2worker_events += /OCSP_MEASUREMENT::ocsp_info_add/; +redef Cluster::worker2manager_events += /OCSP_MEASUREMENT::new_ocsp_info/; +@endif + +# get all the requests in one HTTP request +function get_all_requests(http: HTTP::Info): table[OCSP::CertId] of Queue::Queue + { + local pending_requests: table[OCSP::CertId] of Queue::Queue = table(); + if ( http?$ocsp_request && http$ocsp_request?$requestList ) + { + local req = http$ocsp_request; + for (x in req$requestList) + { + local one_req = req$requestList[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, + $issuerNameHash = one_req$issuerNameHash, + $issuerKeyHash = one_req$issuerKeyHash, + $serialNumber = one_req$serialNumber]; + + local req_rec: OCSP::Info_req = [$ts=http$ocsp_request_ts, $id=http$ocsp_request_fuid, $certId=cert_id]; + + if (req?$version) + req_rec$version = req$version; + + if (req?$requestorName) + req_rec$requestorName = req$requestorName; + + if (cert_id !in pending_requests) + pending_requests[cert_id] = Queue::init(); + + Queue::put(pending_requests[cert_id], req_rec); + } + } + return pending_requests; + } + +# remove the last '/' +function clean_uri(s: string): string + { + local s_len = |s|; + s_len -= 1; + if (s[-1] == "/") + return clean_uri(s[0:s_len]); + else + return s; + } + +# fill in OCSP/HTTP information +function fill_ocsp_info(c: connection) + { + local http: HTTP::Info = c$http; + + # get all the requests which will be matched to response later + local pending_requests: table[OCSP::CertId] of Queue::Queue = get_all_requests(http); + + # get all the responses and match them to the requests + if ( http?$ocsp_response && http$ocsp_response?$responses ) + { + local resp = http$ocsp_response; + for (x in resp$responses) + { + local single_resp: OCSP::SingleResp = resp$responses[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + + local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certId = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + + if (single_resp?$nextUpdate) + resp_rec$nextUpdate = single_resp$nextUpdate; + + local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, + $cuid = http$uid, $host = http$host, + $uri = http$uri, $resp = resp_rec, + $req_size = http$request_body_len, + $req_hdr_size = http$request_header_len, + $resp_size = http$response_body_len, + $resp_hdr_size = http$response_header_len, + $http_code = http$status_code]; + if (cert_id in pending_requests) + { + # find a match + local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); + ocsp_info$req = req_rec; + ocsp_info$num_ocsp = c$num_ocsp; + + if (c$num_ocsp == 0) + ocsp_info$delay = ocsp_info$req$ts - c$start_time; + else + ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; + + if (Queue::len(pending_requests[cert_id]) == 0) + delete pending_requests[cert_id]; #if queue is empty, delete it? + } + + # add to ocsp map + local full_uri: string = clean_uri(http$host + http$uri); + local h = cert_id$hashAlgorithm; + local src_ip: addr = c$id$orig_h; + + if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] ) + ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); + + Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); + } + + } + } + +# work event +@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) +event OCSP_MEASUREMENT::ocsp_info_add(c: connection) + { + fill_ocsp_info(c); + } +@endif + +# manager event +@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) +event OCSP_MEASUREMENT::new_ocsp_info(c: connection) + { + event OCSP_MEASUREMENT::ocsp_info_add(c); + } +@endif + +# record the header length +event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) + { + # proceed only this http connection has ocsp request or response + if ( ! c$http?$ocsp_request && ! c$http?$ocsp_response ) + return; + + if ( is_orig ) + { + c$http$request_header_len = stat$header_length; + c$num_ocsp += 1; + } + else + { + c$http$response_header_len = stat$header_length; + # here, a http request-response is done + # if any ocsp info is present, put it in ocsp_map +@if ( ! Cluster::is_enabled() ) + fill_ocsp_info(c); +@endif + +@if ( Cluster::is_enabled() ) + # send this ocsp info to manager and manager will send + # it to all the workder + event OCSP_MEASUREMENT::new_ocsp_info(c); +@endif + } + } + +# add ocsp request to http record +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) + { + if ( !f?$http ) + return; + f$http$ocsp_request = req; + f$http$ocsp_request_ts = network_time(); + f$http$ocsp_request_fuid = f$id; + } + +# add ocsp response to http record +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) + { + if ( !f?$http ) + return; + f$http$ocsp_response = resp; + f$http$ocsp_response_ts = network_time(); + f$http$ocsp_response_fuid = f$id; + } + +# add client hello time and connection start time +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) + { + c$ssl$client_hello_ts = network_time(); + c$ssl$connection_start_ts = c$start_time; + } + +# add time stamp for server's change cipher message +event ssl_change_cipher_spec(c: connection, is_orig: bool) + { + if ( is_orig ) + return; + c$ssl$change_cipher_ts = network_time(); + } + +# add ssl established time +event ssl_established(c: connection) + { + c$ssl$ssl_establish_ts = network_time(); + } + +# extract the full ocsp uri from certificate extension +function get_ocsp_uri(s: string): string + { + s = strip(s); + s = to_lower(s); + local parts = split_string(s, /\x0a/); + for (x in parts) + { + local f4c = sub_bytes(parts[x], 0, 4); + if (f4c == "ocsp") + { + local w = split_string(parts[x], /\/\//); + return w[1]; + } + } + return ""; + } + +# create ocsp index if ocsp extension is encountered +# record the time when certificate is received +event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { + if (!ext?$name || ext$name != "Authority Information Access") + return; + + if ( !f?$info || !f$info?$x509 || !f$info$x509?$handle || !f$info$x509?$certificate) + return; + + local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); + if ( |ocsp_uri| == 0 ) + return; + + local cert: X509::Certificate = f$info$x509$certificate; + local serial_number: string = cert$serial; + local cert_ref: opaque of x509 = f$info$x509$handle; + + # get connection + local c: connection; + # there should be only one loop + for ( id in f$conns ) + c = f$conns[id]; + + if ( !c$ssl?$cert_ts ) + c$ssl$cert_ts = table(); + + local current_ts: time = network_time(); + local source_ip: addr = c$id$orig_h; + + local issuer_name: table[string] of string; + # loop through each hash algorithm + for (i in hash_algorithm) + { + local h: string = hash_algorithm[i]; + issuer_name[h] = x509_issuer_name_hash(cert_ref, h); + + # if given hash algorithm is not in record, create a new table + if ( h !in c$ssl$cert_ts ) + c$ssl$cert_ts[h] = table(); + + # if given index is not in record, create a new queue + if ( [source_ip, ocsp_uri, issuer_name[h], serial_number] !in c$ssl$cert_ts[h] ) + c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number] = Queue::init(); + + # put the timing information in the queue of ssl info + Queue::put(c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number], current_ts); + } + } + +# log information when ssl connection is removed +event connection_state_remove(c: connection) &priority= -20 + { + if ( ! c?$ssl || ! c$ssl?$cert_ts ) + return; + + for (i in hash_algorithm) + { + local h = hash_algorithm[i]; + for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) + { + if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] ) + { + # find a ocsp to ssl match + local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]); + if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) + delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]; + local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); + if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) + delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; + ocsp_info$cert_recv_ts = cert_recv_ts; + ocsp_info$ssl_cuid = c$uid; + ocsp_info$ssl_cid = c$id; + ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; + ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; + Log::write(LOG, ocsp_info); + } + } + } + } + +event bro_init() + { + # initialize ocsp_map + for (i in hash_algorithm) + ocsp_map[hash_algorithm[i]] = table(); + + Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); + } From 386a5b811d667b6169f1f0fe8eff6a994681d2aa Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 2 Jul 2015 14:23:38 -0700 Subject: [PATCH 006/288] add optional logging for parsed ocsp stapling message --- .../policy/protocols/ssl/ocsp-stapling.bro | 113 ++++++++++++++++++ .../analyzer/ocsp/CMakeLists.txt | 2 +- src/file_analysis/analyzer/ocsp/functions.bif | 36 ++++++ 3 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 scripts/policy/protocols/ssl/ocsp-stapling.bro create mode 100644 src/file_analysis/analyzer/ocsp/functions.bif diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro new file mode 100644 index 0000000000..0a0c92da1c --- /dev/null +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -0,0 +1,113 @@ +#! Log ocsp stapling information + +module OCSP_STAPLING; + +export { + redef enum Log::ID += { LOG }; + type Info: record { + ## timestamp + ts: time &log; + + ## connection uid + cid: conn_id &log; + + ## connection uid + cuid: string &log; + + ## size of this response + size: count &log; + + ## responseStatus + responseStatus: string &log; + + ## responseType + responseType: string &log; + + ## version + version: count &log; + + ## responderID + responderID: string &log; + + ## producedAt + producedAt: string &log; + + ## NOTE: the following are specific to one cert id + ## the above are for one message which may contain + ## several responses + + ## index + idx: count &log &optional; + + ## cert id + cert_id: OCSP::CertId &log &optional; + + ## certStatus (this is the response to look at) + certStatus: string &log &optional; + + ## thisUpdate + thisUpdate: string &log &optional; + + ## nextUpdate + nextUpdate: string &log &optional; + }; +} + +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) + { + local resp: OCSP::Response = ocsp_parse_response(response); + + # TOCHECK: is this right? + local resp_size: count =|response|; + + if (resp?$responses) + { + local num: count = 0; + for (x in resp$responses) + { + num += 1; + local single_resp: OCSP::SingleResp = resp$responses[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + + local resp_rec: Info = [$ts = network_time(), + $cid = c$id, + $cuid = c$uid, + $size = resp_size, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $idx = num, + $cert_id = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + + if (single_resp?$nextUpdate) + resp_rec$nextUpdate = single_resp$nextUpdate; + Log::write(LOG, resp_rec); + } + } + else + { + # no response content? this is weird but log it anyway + local resp_rec_empty: Info = [$ts = network_time(), + $cid = c$id, + $cuid = c$uid, + $size = resp_size, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt]; + Log::write(LOG, resp_rec_empty); + } + } + +event bro_init() + { + Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]); + } diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt index d1cff9d157..12c54c1c84 100644 --- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt +++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt @@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro OCSP) bro_plugin_cc(OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif) +bro_plugin_bif(events.bif types.bif functions.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/ocsp/functions.bif new file mode 100644 index 0000000000..19d9ac1cb5 --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/functions.bif @@ -0,0 +1,36 @@ +%%{ +#include "file_analysis/analyzer/ocsp/OCSP.h" +#include "types.bif.h" +%%} + +## Parses a OCSP response into an OCSP::Response structure. +## +## ocsp_reply: OCSP data. +## +## Returns: A OCSP::Response structure. +## +## .. bro:see:: ssl_stapled_ocsp +function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response + %{ + const unsigned char* start = ocsp_reply->Bytes(); + OCSP_RESPONSE *resp = NULL; + file_analysis::OCSP_RESPVal* resp_val = NULL; + RecordVal* resp_record = NULL; + resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len()); + if ( ! resp ) + { + reporter->Weird("OPENSSL Could not parse OCSP response"); + return NULL; + } + resp_val = new file_analysis::OCSP_RESPVal(resp); + resp_record = file_analysis::OCSP::ParseResponse(resp_val); + if (!resp_record) + { + reporter->Weird("Internal fail to parse OCSP response"); + Unref(resp_val); + return NULL; + } + Unref(resp_val); + //Unref(resp_record); + return resp_record; + %} From de17c12656d0a223d38c3c83fa866d2f6b54226f Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 2 Jul 2015 14:51:07 -0700 Subject: [PATCH 007/288] add btest for ocsp-stapling logging --- .../ocsp-stapling.log | 10 ++++++++++ .../scripts/policy/protocols/ssl/ocsp-stapling.bro | 6 ++++++ 2 files changed, 16 insertions(+) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log create mode 100644 testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log new file mode 100644 index 0000000000..03964f7191 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp-stapling +#open 2015-07-02-21-49-21 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate +#types time addr port addr port string count string string count string string count string string string string string string string +1398367809.961683 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z +#close 2015-07-02-21-49-21 diff --git a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro new file mode 100644 index 0000000000..63b7e29e03 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -0,0 +1,6 @@ +# This tests logging of ocsp stapling message + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# @TEST-EXEC: btest-diff ocsp-stapling.log + +@load protocols/ssl/ocsp-stapling From 8844d344af4428819d8844ab83c3037679e5d3e3 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 2 Jul 2015 17:46:43 -0700 Subject: [PATCH 008/288] add connection in ocsp log --- scripts/base/files/ocsp/main.bro | 40 ++++++++++++++----- .../policy/protocols/ssl/ocsp-stapling.bro | 2 +- .../ocsp.log | 10 ++--- .../ocsp.log | 10 ++--- .../ocsp.log | 10 ++--- 5 files changed, 47 insertions(+), 25 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 602f23bcc5..c5ccd6df7f 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -23,6 +23,10 @@ export { ts: time; ## file id for this request id: string &log; + ## connection id + cid: conn_id &optional; + ## connection uid + cuid: string &optional; ## version version: count &log &optional; ## requestor name @@ -37,9 +41,13 @@ export { ## one ocsp response record type Info_resp: record { ## time for the response - ts: time; + ts: time &log; ## file id for this response id: string &log; + ## connection id + cid: conn_id &optional; + ## connection uid + cuid: string &optional; ## responseStatus (different from cert status?) responseStatus: string &log; ## responseType @@ -67,9 +75,21 @@ export { type Info: record { ## timestamp for request if a corresponding request is present ## OR timestamp for response if a corresponding request is not found - ts: time &log; + ts: time &log; + + ## connection id + cid: conn_id &log; + + ## connection uid + cuid: string &log; + + ## cert id certId: OCSP::CertId &log &optional; + + ## request req: Info_req &log &optional; + + ## response resp: Info_resp &log &optional; }; @@ -127,7 +147,7 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) $issuerKeyHash = one_req$issuerKeyHash, $serialNumber = one_req$serialNumber]; - local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id]; + local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid]; if (req?$version) req_rec$version = req$version; @@ -147,12 +167,12 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) else { # no request content? this is weird but log it anyway - local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id]; + local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid]; if (req?$version) req_rec_empty$version = req$version; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]); + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]); } } @@ -178,6 +198,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $issuerKeyHash = single_resp$issuerKeyHash, $serialNumber = single_resp$serialNumber]; local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, + $cid=conn$id, $cuid=conn$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, @@ -193,14 +214,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { # find a match local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]); + Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); if (Queue::len(conn$ocsp_requests[cert_id]) == 0) delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? } else { # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]); + Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); } } } @@ -208,12 +229,13 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { # no response content? this is weird but log it anyway local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, + $cid=conn$id, $cuid=conn$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt]; - Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]); + Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); } } @@ -223,7 +245,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue) Queue::get_vector(q, reqs); for ( i in reqs ) - Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]); + Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]); } function log_unmatched_msgs(msgs: PendingRequests) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 0a0c92da1c..64c3d198f2 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -8,7 +8,7 @@ export { ## timestamp ts: time &log; - ## connection uid + ## connection id cid: conn_id &log; ## connection uid diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 9881f143c1..c9a4964207 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-06-19-16-32-33 -#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time string string string string string count string string string string count string string string string string -1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - -#close 2015-06-19-16-32-33 +#open 2015-07-03-00-39-57 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time addr port addr port string string string string string string count string time string string string count string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - +#close 2015-07-03-00-39-57 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index b21cadda9a..feb466e43f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-06-19-16-32-23 -#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time string string string string string count string string string string count string string string string string -1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-06-19-16-32-23 +#open 2015-07-03-00-40-58 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time addr port addr port string string string string string string count string time string string string count string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-07-03-00-40-58 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index f5a5c43c7c..7b86586eb8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-06-19-16-32-39 -#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time string string string string string count string string string string count string string string string string -1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-06-19-16-32-39 +#open 2015-07-03-00-38-40 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time addr port addr port string string string string string string count string time string string string count string string string string string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-07-03-00-38-40 From d18a96bc8d94a645bd443b0b1784c6ba48fe88b3 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 6 Jul 2015 16:12:52 -0700 Subject: [PATCH 009/288] separated field for ocsp response timestamp and update baseline --- scripts/base/files/ocsp/main.bro | 11 +++++++---- .../ocsp.log | 6 +++--- .../ocsp.log | 6 +++--- .../ocsp.log | 6 +++--- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index c5ccd6df7f..62a414d3cf 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -41,7 +41,7 @@ export { ## one ocsp response record type Info_resp: record { ## time for the response - ts: time &log; + ts: time; ## file id for this response id: string &log; ## connection id @@ -89,6 +89,9 @@ export { ## request req: Info_req &log &optional; + ## response timestamp + resp_ts: time &log &optional; + ## response resp: Info_resp &log &optional; }; @@ -214,14 +217,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { # find a match local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); + Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); if (Queue::len(conn$ocsp_requests[cert_id]) == 0) delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? } else { # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); + Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); } } } @@ -235,7 +238,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt]; - Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); + Log::write(LOG, [$ts=resp_rec_empty$ts, $resp_ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index c9a4964207..3ac21e3f22 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-03-00-39-57 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#open 2015-07-06-23-03-35 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #types time addr port addr port string string string string string string count string time string string string count string string string string string 1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - -#close 2015-07-03-00-39-57 +#close 2015-07-06-23-03-35 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index feb466e43f..53c2b598d5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-03-00-40-58 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#open 2015-07-06-23-05-10 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #types time addr port addr port string string string string string string count string time string string string count string string string string string 1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-03-00-40-58 +#close 2015-07-06-23-05-10 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index 7b86586eb8..4889fdc434 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-03-00-38-40 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#open 2015-07-06-23-05-43 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #types time addr port addr port string string string string string string count string time string string string count string string string string string 1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-03-00-38-40 +#close 2015-07-06-23-05-43 From e2c30f0005c26931d88488b806146cb497600f7c Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 6 Jul 2015 17:52:13 -0700 Subject: [PATCH 010/288] record more timestamp for ocsp measurement --- .../policy/protocols/ssl/ocsp-measurement.bro | 61 ++++++++++++------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro index a426e7e048..c95fd9b83e 100644 --- a/scripts/policy/protocols/ssl/ocsp-measurement.bro +++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro @@ -15,12 +15,18 @@ export { ## cert id for the OCSP request cert_id: OCSP::CertId &log &optional; + ## request timestamp + req_ts: time &log &optional; + ## request ## NOTE: this is only one request if multiple requests ## are sent together in one HTTP message, they will be ## logged separately req: OCSP::Info_req &log &optional; + ## response timestamp + resp_ts: time &log &optional; + ## response ## NOTE: similar to request, if multiple responses are ## sent together in one HTTP message, they will be @@ -30,10 +36,13 @@ export { ## HTTP connection uid cuid: string &log; + ## HTTP connection start time + conn_start_ts: time &log; + ## for 1st request, this is the time between first TCP ## SYN and resp_ts; for the rest of the requests in ## the same connection, this is the time btween req_ts - ## and res_ts + ## and resp_ts delay: interval &log &optional; ## the size of HTTP request body @@ -57,8 +66,10 @@ export { ## OCSP uri, this is uri in HTTP request uri: string &log; - ## number of ocsp requests in this connection - ## including this one + ## number of HTTP request containing ocsp requests in + ## this connection including this one; this may be + ## different from number of OCSP requests since one + ## HTTP request may contain several OCSP requests num_ocsp: count &log &optional; ## the time when the corresponding certificate is @@ -222,36 +233,42 @@ function fill_ocsp_info(c: connection) $issuerKeyHash = single_resp$issuerKeyHash, $serialNumber = single_resp$serialNumber]; - local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; + local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, + $id = http$ocsp_response_fuid, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certId = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; if (single_resp?$nextUpdate) resp_rec$nextUpdate = single_resp$nextUpdate; - local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, - $cuid = http$uid, $host = http$host, - $uri = http$uri, $resp = resp_rec, - $req_size = http$request_body_len, - $req_hdr_size = http$request_header_len, - $resp_size = http$response_body_len, + local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, + $cuid = http$uid, + $conn_start_ts = c$start_time, + $host = http$host, + $uri = http$uri, + $resp_ts = resp_rec$ts, + $resp = resp_rec, + $req_size = http$request_body_len, + $req_hdr_size = http$request_header_len, + $resp_size = http$response_body_len, $resp_hdr_size = http$response_header_len, - $http_code = http$status_code]; + $http_code = http$status_code]; if (cert_id in pending_requests) { # find a match local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); - ocsp_info$req = req_rec; + ocsp_info$req = req_rec; + ocsp_info$req_ts = req_rec$ts; ocsp_info$num_ocsp = c$num_ocsp; - if (c$num_ocsp == 0) - ocsp_info$delay = ocsp_info$req$ts - c$start_time; + if (c$num_ocsp == 1) + ocsp_info$delay = ocsp_info$resp$ts - c$start_time; else ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; From 07891b3b66fbf86a188325a0eaedc24db9571b13 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 12:27:02 -0700 Subject: [PATCH 011/288] parse multiple OCSP stapling responses --- .../protocol/ssl/tls-handshake-analyzer.pac | 5 ++--- .../protocol/ssl/tls-handshake-protocol.pac | 18 +++++++++++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 17432fa5cb..afca5dd77f 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -168,14 +168,13 @@ refine connection Handshake_Conn += { function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ - if ( status_type == 1 ) // ocsp + if ( status_type == 1 || status_type == 2 ) // ocsp { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), (const char*) response.data())); } - return true; %} @@ -255,7 +254,7 @@ refine typeattr ServerNameExt += &let { proc : bool = $context.connection.proc_server_name(rec, server_names); }; -refine typeattr CertificateStatus += &let { +refine typeattr OCSPResponse += &let { proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index b24352d099..722b6f1f59 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -139,11 +139,23 @@ type Certificate(rec: HandshakeRecord) = record { } &length = to_int()(length)+3; # OCSP Stapling +type OCSPResponse(rec: HandshakeRecord, status_type: uint8) = record { + length : uint24; + response : bytestring &length = to_int()(length); +} &length = to_int()(length)+3; + +type OCSPResponseList(rec: HandshakeRecord, status_type: uint8) = record { + length : uint24; + response_list : OCSPResponse(rec, status_type)[] &until($input.length() == 0); +} &length = to_int()(length)+3; type CertificateStatus(rec: HandshakeRecord) = record { - status_type: uint8; # 1 = ocsp, everything else is undefined - length : uint24; - response: bytestring &restofdata; + status_type: uint8; # 1 = ocsp, 2 = ocsp_multi, everything else is undefined + which_type: case status_type of { + 1 -> ocsp_response : OCSPResponse(rec, status_type); + 2 -> ocsp_response_list : OCSPResponseList(rec, status_type); + default -> data : bytestring &restofdata &transient; # unknown + }; }; ###################################################################### From 15bf098e7a5c284ae84ac6910b7eb2afbc4e3aba Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 13:39:24 -0700 Subject: [PATCH 012/288] rename proc_certificate_status to proc_ocsp_response --- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index afca5dd77f..84a7936daf 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -166,7 +166,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool + function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ if ( status_type == 1 || status_type == 2 ) // ocsp { @@ -255,7 +255,7 @@ refine typeattr ServerNameExt += &let { }; refine typeattr OCSPResponse += &let { - proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); + proc : bool = $context.connection.proc_ocsp_response(rec, status_type, response); }; refine typeattr EcServerKeyExchange += &let { From 545848d9067c9ce35e8825961ce82943d3c945ff Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 14:11:14 -0700 Subject: [PATCH 013/288] add parameter 'status_type' to event ssl_stapled_ocsp --- scripts/policy/protocols/ssl/ocsp-stapling.bro | 2 +- scripts/policy/protocols/ssl/validate-ocsp.bro | 2 +- src/analyzer/protocol/ssl/events.bif | 4 +++- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 3 ++- testing/btest/core/leaks/x509_ocsp_verify.bro | 2 +- testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 64c3d198f2..298f6d3990 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -53,7 +53,7 @@ export { }; } -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local resp: OCSP::Response = ocsp_parse_response(response); diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 3beabbe59c..6667d9fbae 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -27,7 +27,7 @@ export { # certificate chain is seen. global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3 { c$ssl$ocsp_response = response; } diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 18704d25ec..09e9c2d75e 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -294,7 +294,9 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len ## is_orig: True if event is raised for originator side of the connection. ## ## response: OCSP data. -event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); +## +## status_type: status_type in received OCSP stapled response +event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%); ## This event is raised for each unencrypted SSL/TLS handshake message. ## diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 84a7936daf..89177dfb51 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -173,7 +173,8 @@ refine connection Handshake_Conn += { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), - (const char*) response.data())); + (const char*) response.data()), + status_type); } return true; %} diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro index ab24f28ee8..4a4d081e09 100644 --- a/testing/btest/core/leaks/x509_ocsp_verify.bro +++ b/testing/btest/core/leaks/x509_ocsp_verify.bro @@ -9,7 +9,7 @@ @load base/protocols/ssl -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 6424f263f1..440b1b2ebf 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -5,7 +5,7 @@ redef SSL::root_certs += { ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", }; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) From 694738752224b4579c028e6f4ccb155d2d38f3ed Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 14:21:53 -0700 Subject: [PATCH 014/288] add status_type to ocsp stapling log --- scripts/policy/protocols/ssl/ocsp-stapling.bro | 9 +++++++-- .../ocsp-stapling.log | 10 +++++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 298f6d3990..30f69e3b9a 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -7,7 +7,10 @@ export { type Info: record { ## timestamp ts: time &log; - + + ## status type + status_type: count &log; + ## connection id cid: conn_id &log; @@ -73,7 +76,8 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_ty $serialNumber = single_resp$serialNumber]; local resp_rec: Info = [$ts = network_time(), - $cid = c$id, + $status_type = status_type, + $cid = c$id, $cuid = c$uid, $size = resp_size, $responseStatus = resp$responseStatus, @@ -95,6 +99,7 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_ty { # no response content? this is weird but log it anyway local resp_rec_empty: Info = [$ts = network_time(), + $status_type = status_type, $cid = c$id, $cuid = c$uid, $size = resp_size, diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log index 03964f7191..c8d4c9d8e6 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp-stapling -#open 2015-07-02-21-49-21 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate -#types time addr port addr port string count string string count string string count string string string string string string string -1398367809.961683 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z -#close 2015-07-02-21-49-21 +#open 2015-07-08-21-19-54 +#fields ts status_type cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate +#types time count addr port addr port string count string string count string string count string string string string string string string +1398367809.961683 1 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z +#close 2015-07-08-21-19-54 From 535525e28364f1547de095688000b5032e7758d9 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 18:20:29 -0700 Subject: [PATCH 015/288] fix a memory leak --- src/file_analysis/analyzer/ocsp/OCSP.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index ea90967cfc..d49d8d4beb 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -532,6 +532,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) ocsp_resp_record->Assign(7, new StringVal(len, buf)); } clean_up: + if (basic_resp) + OCSP_BASICRESP_free(basic_resp); return ocsp_resp_record; } From 406fec9ef41fae467ff258ef965ca03ef7cc5b9a Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 9 Jul 2015 11:56:58 -0700 Subject: [PATCH 016/288] potentially fix a memory problem ocsp-measurement --- .../policy/protocols/ssl/ocsp-measurement.bro | 37 +++++++++---------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro index c95fd9b83e..b883a36fdc 100644 --- a/scripts/policy/protocols/ssl/ocsp-measurement.bro +++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro @@ -88,14 +88,10 @@ export { ## the time when SSL connection is established ssl_establish_ts: time &log &optional; - }; - ## - map to OCSP_MEASUREMENT::Info - ## - indexed by source ip(addr), ocsp uri(string), issuer name - ## hash(string), serialNumber(string) - ## - is it possible server sends two same certificate? To be - ## safe, let's use a queue to store OCSP_MEASUREMENT::Info - type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins; + ## the time when event connection_state_remove happens + ssl_end_ts: time &log &optional; + }; ## a group of constant string for hash algorithm ## to save memory, remove any unseen hash algorithm @@ -110,8 +106,12 @@ export { global ocsp_info_add: event(c: connection); } -# by different hash algorithm, OCSP_Mapping -global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping; +## - map to OCSP_MEASUREMENT::Info +## - indexed by hash algorithm(string), source ip(addr), ocsp +## uri(string), issuer name hash(string), serialNumber(string) +## - is it possible server sends two same certificate? To be +## safe, let's use a queue to store OCSP_MEASUREMENT::Info +global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins; # track number of ocsp requests in this connection redef record connection += { @@ -281,10 +281,10 @@ function fill_ocsp_info(c: connection) local h = cert_id$hashAlgorithm; local src_ip: addr = c$id$orig_h; - if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] ) - ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); + if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map ) + ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); - Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); + Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); } } @@ -454,12 +454,12 @@ event connection_state_remove(c: connection) &priority= -20 local h = hash_algorithm[i]; for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) { - if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] ) + if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map ) { # find a ocsp to ssl match - local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]); - if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) - delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]; + local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]); + if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0) + delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]; local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; @@ -468,6 +468,7 @@ event connection_state_remove(c: connection) &priority= -20 ocsp_info$ssl_cid = c$id; ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; + ocsp_info$ssl_end_ts = network_time(); Log::write(LOG, ocsp_info); } } @@ -476,9 +477,5 @@ event connection_state_remove(c: connection) &priority= -20 event bro_init() { - # initialize ocsp_map - for (i in hash_algorithm) - ocsp_map[hash_algorithm[i]] = table(); - Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); } From 9553c8aefc1452947183631e6852ab367cc232bb Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sun, 12 Jul 2015 13:52:26 -0700 Subject: [PATCH 017/288] separated logging for ocsp and ssl --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 577 ++++++++++++++++++ 1 file changed, 577 insertions(+) create mode 100644 scripts/policy/protocols/ssl/ocsp-ssl-split.bro diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro new file mode 100644 index 0000000000..8f24fa2d47 --- /dev/null +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -0,0 +1,577 @@ +#! log OCSP request, response and related HTTP information +#! log SSL connection which has cert with OCSP uri + +@load base/protocols/http +@load base/frameworks/files +@load base/files/x509 +@load base/protocols/ssl +@load base/utils/queue + +module OCSP_SSL_SPLIT; + +export { + redef enum Log::ID += { LOG_OCSP }; + redef enum Log::ID += { LOG_SSL }; + + type PendingRequests: table[OCSP::CertId] of Queue::Queue; + + type OCSP_Request_Type: record { + ts: time; + fuid: string; + req: OCSP::Request; + }; + + type OCSP_Response_Type: record { + ts: time; + fuid: string; + resp: OCSP::Response; + }; + + type Info_OCSP: record { + ## cert id for the OCSP request + cert_id: OCSP::CertId &log &optional; + + ## request timestamp + req_ts: time &log &optional; + + ## one OCSP request may contain several OCSP requests + ## with different cert id; this is the index of the + ## OCSP request with cert_id in the big OCSP request + req_index: count &log &optional; + + ## request + ## NOTE: this is only one request if multiple requests + ## are sent together in one HTTP message, they will be + ## logged separately + req: OCSP::Info_req &log &optional; + + ## response timestamp + resp_ts: time &log &optional; + + ## one OCSP response may contain several OCSP responses + ## with different cert id; this is the index of the + ## OCSP response with cert_id in the big OCSP response + resp_index: count &log &optional; + + ## response + ## NOTE: similar to request, if multiple responses are + ## sent together in one HTTP message, they will be + ## logged separately + resp: OCSP::Info_resp &log &optional; + + ## HTTP connection id + cid: conn_id &log; + + ## HTTP connection uid + cuid: string &log; + + ## HTTP connection start time + conn_start_ts: time &log; + + ## the time between req_ts and resp_ts + delay: interval &log &optional; + + ## the size of HTTP request body + req_size: count &log &optional; + + ## the size of HTTP request header + req_hdr_size: count &log &optional; + + ## the size of HTTP response body + resp_size: count &log &optional; + + ## the size of HTTP response header + resp_hdr_size: count &log &optional; + + ## the HTTP code in the HTTP response + http_code: count &log &optional; + + ## OCSP host, this is host in HTTP request + host: string &log &optional; + + ## OCSP uri, this is uri in HTTP request + uri: string &log &optional; + + ## number of HTTP requests containing ocsp requests in + ## this connection including this one; this may be + ## different from number of OCSP requests since one + ## HTTP request may contain several OCSP requests; + ## this is copied from connection + num_ocsp: count &log &optional; + }; + + type Info_SSL: record { + ## connection id + id: conn_id &log; + + ## uid + uid: string &log; + + ## connection start time + conn_start_ts: time &log &optional; + + ## client hello time + client_hello_ts: time &log &optional; + + ## the time when client receives change cipher message + ## from server + change_cipher_ts: time &log &optional; + + ## the time when SSL connection is established + establish_ts: time &log &optional; + + ## the time when event connection_state_remove happens + end_ts: time &log &optional; + + ## the above are common information for SSL connection + ## the following is specific to an cert + + ## ocsp_uri + ocsp_uri: string &log &optional; + + ## serial_number + serial_number: string &log &optional; + + ## the time when the corresponding certificate is + ## received; formatted as: str(time),str(time) + cert_recv_ts: string &log &optional; + + ## issuer_name + ## formatted as: hash_algorithm1:value1,hash_algorithm2:value2 + issuer_name: string &log &optional; + }; + + ## a group of constant string for hash algorithm; to save + ## memory, remove any unseen hash algorithm + global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); +} + +redef record connection += { + ## track number of ocsp requests in this connection + num_ocsp: count &optional &default=0; + }; + +# add additional information to http info +redef record HTTP::Info += { + ## header length + request_header_len: count &optional &default=0; + response_header_len: count &optional &default=0; + + ## OCSP_Request_Type + ocsp_requests: vector of OCSP_Request_Type &optional; + + ## OCSP_Response_Type + ocsp_responses: vector of OCSP_Response_Type &optional; + + ## connection start time, copied from connection + conn_start_ts: time &optional; + + ## number of OCSP requests so far, copied from connection + num_ocsp: count &optional; +}; + +# add additional information to ssl info +redef record SSL::Info += { + ## connection start time + conn_start_ts: time &optional; + + ## the time when client hello event happens + client_hello_ts: time &optional; + + ## the time when ssl connection is established + establish_ts: time &optional; + + ## the time when server sends change-cipher-spec + change_cipher_ts: time &optional; + + ## indexed by ocsp_uri(string), serialNumber(string), issuer + ## name hash(string). issuer name hash is formatted as: + ## hash_algorithm1:value1,hash_algorithm2:value2 + cert_ts: table[string, string, string] of Queue::Queue &optional; +}; + +# remove the last '/' +function clean_uri(s: string): string + { + local s_len = |s|; + s_len -= 1; + if (s[-1] == "/") + return clean_uri(s[0:s_len]); + else + return s; + } + +# record the header length and update num_ocsp and conn_start_ts +event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) + { + # proceed only this http connection has ocsp request or response + if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses ) + return; + + if ( is_orig ) + { + c$http$request_header_len = stat$header_length; + c$num_ocsp += 1; + } + else + { + c$http$response_header_len = stat$header_length; + } + c$http$num_ocsp = c$num_ocsp; + c$http$conn_start_ts = c$start_time; + } + +# add ocsp request to http record +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) + { + if ( ! f?$http ) + return; + local request: OCSP_Request_Type = [$ts = network_time(), + $fuid = f$id, + $req = req]; + if ( ! f$http?$ocsp_requests ) + f$http$ocsp_requests = vector(); + f$http$ocsp_requests[|f$http$ocsp_requests|] = request; + } + +# add ocsp response to http record +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) + { + if ( ! f?$http ) + return; + local response: OCSP_Response_Type = [$ts = network_time(), + $fuid = f$id, + $resp = resp]; + if ( ! f$http?$ocsp_responses ) + f$http$ocsp_responses = vector(); + f$http$ocsp_responses[|f$http$ocsp_responses|] = response; + } + +# add client hello time and connection start time +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) + { + c$ssl$client_hello_ts = network_time(); + c$ssl$conn_start_ts = c$start_time; + } + +# add time stamp for server's change cipher message +event ssl_change_cipher_spec(c: connection, is_orig: bool) + { + if ( ! is_orig ) + c$ssl$change_cipher_ts = network_time(); + } + +# add ssl established time +event ssl_established(c: connection) + { + c$ssl$establish_ts = network_time(); + } + +# extract the full ocsp uri from certificate extension +function get_ocsp_uri(s: string): string + { + s = strip(s); + s = to_lower(s); + local parts = split_string(s, /\x0a/); + for (x in parts) + { + local f4c = sub_bytes(parts[x], 0, 4); + if (f4c == "ocsp") + { + local w = split_string(parts[x], /\/\//); + return w[1]; + } + } + return ""; + } + +# create ocsp index if ocsp extension is encountered +# record the time when certificate is received +event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { + if ( ! ext?$name || ext$name != "Authority Information Access") + return; + + if ( ! f?$info || ! f$info?$x509 || ! f$info$x509?$handle || ! f$info$x509?$certificate) + return; + + local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); + if ( |ocsp_uri| == 0 ) + return; + + local cert: X509::Certificate = f$info$x509$certificate; + local serial_number: string = cert$serial; + local cert_ref: opaque of x509 = f$info$x509$handle; + + # get connection TODO:TOCHECK + local c: connection; + # there should be only one loop? + for ( id in f$conns ) + c = f$conns[id]; + + if ( ! c$ssl?$cert_ts ) + c$ssl$cert_ts = table(); + + local current_ts: time = network_time(); + local issuer_name: string = ""; + + # loop through each hash algorithm + for ( i in hash_algorithm ) + { + local h: string = hash_algorithm[i]; + + # formatted as: hash_algorithm1:value1,hash_algorithm2:value2 + issuer_name += h + ":" + x509_issuer_name_hash(cert_ref, h); + if ( i != (|hash_algorithm| - 1)) + issuer_name += ","; + } + + # if given index is not in record, create a new queue + if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts ) + c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name] = Queue::init(); + + # put the timing information in the queue + Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); + } + +# log unmatched ocsp request or response +function log_unmatched_ocsp_queue (q: Queue::Queue) + { + local rec: vector of OCSP_SSL_SPLIT::Info_OCSP; + Queue::get_vector(q, rec); + for ( i in rec ) + Log::write(LOG_OCSP, rec[i]); + } + +# log unmatched ocsp request or response +function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue) + { + for ( cert_id in ocsp ) + log_unmatched_ocsp_queue(ocsp[cert_id]); + clear_table(ocsp); + } + +# update http data in ocsp info record +function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) + { + if ( http?$host ) + ocsp$host = http$host; + + if ( http?$uri ) + ocsp$uri = http$uri; + + if ( http?$status_code ) + ocsp$http_code = http$status_code; + + if ( http?$request_body_len ) + ocsp$req_size = http$request_body_len; + + if ( http?$request_header_len ) + ocsp$req_hdr_size = http$request_header_len; + + if ( http?$response_body_len ) + ocsp$resp_size = http$response_body_len; + + if ( http?$response_header_len ) + ocsp$resp_hdr_size = http$response_header_len; + } + +# get all the ocsp requests +function get_ocsp_requests(http: HTTP::Info): PendingRequests + { + local pending_ocsp_requests: PendingRequests = table(); + + if ( ! http?$ocsp_requests ) + return pending_ocsp_requests; + + for ( x in http$ocsp_requests ) + { + local request: OCSP_Request_Type = http$ocsp_requests[x]; + if ( ! request?$req ) + next; + + local req: OCSP::Request = request$req; + if ( ! req?$requestList ) + next; + + local req_index: count = 0; + for ( y in req$requestList ) + { + req_index += 1; + local one_req = req$requestList[y]; + local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, + $issuerNameHash = one_req$issuerNameHash, + $issuerKeyHash = one_req$issuerKeyHash, + $serialNumber = one_req$serialNumber]; + + local req_rec: OCSP::Info_req = [$ts=request$ts, $id=request$fuid, $certId=cert_id]; + + if (req?$version) + req_rec$version = req$version; + + if (req?$requestorName) + req_rec$requestorName = req$requestorName; + + local ocsp_info_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, + $req_ts = request$ts, + $req_index = req_index, + $req = req_rec, + $cid = http$id, + $cuid = http$uid, + $conn_start_ts = http$conn_start_ts, + $num_ocsp = http$num_ocsp]; + update_http_info(ocsp_info_rec, http); + + if ( cert_id !in pending_ocsp_requests ) + pending_ocsp_requests[cert_id] = Queue::init(); + + Queue::put(pending_ocsp_requests[cert_id], ocsp_info_rec); + } + } + return pending_ocsp_requests; + } + +# log OCSP +function start_log_ocsp(http: HTTP::Info) + { + if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) + return; + + local pending_ocsp_requests: PendingRequests = get_ocsp_requests(http); + + if ( ! http?$ocsp_responses ) + { + log_unmatched_ocsp(pending_ocsp_requests); + return; + } + + for ( x in http$ocsp_responses ) + { + local response: OCSP_Response_Type = http$ocsp_responses[x]; + if ( ! response?$resp ) + next; + + local resp: OCSP::Response = response$resp; + if ( ! resp?$responses ) + next; + + local resp_index: count = 0; + for ( y in resp$responses ) + { + resp_index += 1; + local single_resp: OCSP::SingleResp = resp$responses[y]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + + local resp_rec: OCSP::Info_resp = [$ts = response$ts, + $id = response$fuid, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certId = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + if ( single_resp?$nextUpdate ) + resp_rec$nextUpdate = single_resp$nextUpdate; + + if ( cert_id in pending_ocsp_requests) + { + # find a match + local ocsp_info: OCSP_SSL_SPLIT::Info_OCSP = Queue::get(pending_ocsp_requests[cert_id]); + ocsp_info$resp = resp_rec; + ocsp_info$resp_ts = response$ts; + ocsp_info$resp_index = resp_index; + + # update http info, previously filled in fill_ocsp_request + update_http_info(ocsp_info, http); + + ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; + + if (Queue::len(pending_ocsp_requests[cert_id]) == 0) + delete pending_ocsp_requests[cert_id]; + + Log::write(LOG_OCSP, ocsp_info); + } + else + { + local ocsp_info_noreq: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, + $resp_ts = resp_rec$ts, + $resp_index = resp_index, + $resp = resp_rec, + $cid = http$id, + $cuid = http$uid, + $conn_start_ts = http$conn_start_ts, + $num_ocsp = http$num_ocsp]; + update_http_info(ocsp_info_noreq, http); + Log::write(LOG_OCSP, ocsp_info_noreq); + } + } + } + if ( |pending_ocsp_requests| != 0 ) + log_unmatched_ocsp(pending_ocsp_requests); + } + +# log OCSP information +event HTTP::log_http(rec: HTTP::Info) + { + start_log_ocsp(rec); + } + +# update ssl info +function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) + { + if ( ssl?$conn_start_ts ) + ssl_rec$conn_start_ts = ssl$conn_start_ts; + + if ( ssl?$client_hello_ts ) + ssl_rec$client_hello_ts = ssl$client_hello_ts; + + if ( ssl?$establish_ts ) + ssl_rec$establish_ts = ssl$establish_ts; + + if ( ssl?$change_cipher_ts ) + ssl_rec$change_cipher_ts = ssl$change_cipher_ts; + } + +# log SSL information when ssl connection is removed +event connection_state_remove(c: connection) &priority= -20 + { + if ( ! c?$ssl || ! c$ssl?$cert_ts ) + return; + + for ( [ocsp_uri, serial_number, issuer_name] in c$ssl$cert_ts ) + { + local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id = c$id, + $uid = c$uid, + $end_ts = network_time()]; + + ssl_info_rec$ocsp_uri = ocsp_uri; + ssl_info_rec$serial_number = serial_number; + ssl_info_rec$issuer_name = issuer_name; + + # convert all the elements in the queue to a formatted string + local cert_recv_ts_str: string = ""; + local elem: vector of time; + Queue::get_vector(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], elem); + for ( i in elem ) + { + cert_recv_ts_str += fmt("%f",elem[i]); + if ( i != (|elem| - 1)) + issuer_name += ","; + } + ssl_info_rec$cert_recv_ts = cert_recv_ts_str; + update_ssl_info(ssl_info_rec, c$ssl); + Log::write(LOG_SSL, ssl_info_rec); + #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; + } + clear_table(c$ssl$cert_ts); + } + +event bro_init() + { + Log::create_stream(LOG_OCSP, [$columns=Info_OCSP, $path="ocsp-to-match"]); + Log::create_stream(LOG_SSL, [$columns=Info_SSL, $path="ssl-to-match"]); + } From 1f5a7aecbc1a2c348c1d2e6efa575d3afead754e Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 13 Jul 2015 15:23:56 -0700 Subject: [PATCH 018/288] change log schema for ocsp-ssl-split.bro --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 125 ++++++++++++------ 1 file changed, 87 insertions(+), 38 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 8f24fa2d47..d292697a69 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -86,11 +86,9 @@ export { ## the HTTP code in the HTTP response http_code: count &log &optional; - ## OCSP host, this is host in HTTP request - host: string &log &optional; - - ## OCSP uri, this is uri in HTTP request - uri: string &log &optional; + ## host in HTTP request + uri in HTTP request + ## last '/' is removed + ocsp_uri: string &log &optional; ## number of HTTP requests containing ocsp requests in ## this connection including this one; this may be @@ -100,6 +98,14 @@ export { num_ocsp: count &log &optional; }; + type Issuer_Name_Type: record { + sha1: string &log &optional; + sha224: string &log &optional; + sha256: string &log &optional; + sha384: string &log &optional; + sha512: string &log &optional; + }; + type Info_SSL: record { ## connection id id: conn_id &log; @@ -112,14 +118,22 @@ export { ## client hello time client_hello_ts: time &log &optional; + + ## server hello time + server_hello_ts: time &log &optional; - ## the time when client receives change cipher message - ## from server - change_cipher_ts: time &log &optional; + ## the time for client change cipher message + client_change_cipher_ts: time &log &optional; + + ## the time for server change cipher message + server_change_cipher_ts: time &log &optional; ## the time when SSL connection is established establish_ts: time &log &optional; + ## the time for the first encrypted application data + client_first_encrypt_ts: time &log &optional; + ## the time when event connection_state_remove happens end_ts: time &log &optional; @@ -137,15 +151,12 @@ export { cert_recv_ts: string &log &optional; ## issuer_name - ## formatted as: hash_algorithm1:value1,hash_algorithm2:value2 - issuer_name: string &log &optional; + issuer_name: Issuer_Name_Type &log &optional; }; - - ## a group of constant string for hash algorithm; to save - ## memory, remove any unseen hash algorithm - global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); } +redef SSL::disable_analyzer_after_detection=F; + redef record connection += { ## track number of ocsp requests in this connection num_ocsp: count &optional &default=0; @@ -178,22 +189,32 @@ redef record SSL::Info += { ## the time when client hello event happens client_hello_ts: time &optional; + ## server hello time + server_hello_ts: time &optional; + ## the time when ssl connection is established establish_ts: time &optional; - ## the time when server sends change-cipher-spec - change_cipher_ts: time &optional; - + ## the time for client change cipher message + client_change_cipher_ts: time &optional; + + ## the time for server change cipher message + server_change_cipher_ts: time &optional; + ## indexed by ocsp_uri(string), serialNumber(string), issuer - ## name hash(string). issuer name hash is formatted as: - ## hash_algorithm1:value1,hash_algorithm2:value2 - cert_ts: table[string, string, string] of Queue::Queue &optional; + ## name hash(string) + cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional; + + ## the time for the first encrypted application data + client_first_encrypt_ts: time &optional; }; # remove the last '/' function clean_uri(s: string): string { local s_len = |s|; + if ( s_len == 0 ) + return s; s_len -= 1; if (s[-1] == "/") return clean_uri(s[0:s_len]); @@ -247,6 +268,12 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo f$http$ocsp_responses[|f$http$ocsp_responses|] = response; } +# add server hello time +event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 + { + c$ssl$server_hello_ts = network_time(); + } + # add client hello time and connection start time event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) { @@ -257,8 +284,10 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_ # add time stamp for server's change cipher message event ssl_change_cipher_spec(c: connection, is_orig: bool) { - if ( ! is_orig ) - c$ssl$change_cipher_ts = network_time(); + if ( is_orig ) + c$ssl$client_change_cipher_ts = network_time(); + else + c$ssl$server_change_cipher_ts = network_time(); } # add ssl established time @@ -267,6 +296,16 @@ event ssl_established(c: connection) c$ssl$establish_ts = network_time(); } +# add time when first encrypted application data is sent from client +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) + { + if ( ! c?$ssl ) + return; + + if ( content_type == SSL::APPLICATION_DATA && length > 0 && is_orig && ! c$ssl?$client_first_encrypt_ts ) + c$ssl$client_first_encrypt_ts = network_time(); + } + # extract the full ocsp uri from certificate extension function get_ocsp_uri(s: string): string { @@ -312,18 +351,13 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { c$ssl$cert_ts = table(); local current_ts: time = network_time(); - local issuer_name: string = ""; - - # loop through each hash algorithm - for ( i in hash_algorithm ) - { - local h: string = hash_algorithm[i]; - # formatted as: hash_algorithm1:value1,hash_algorithm2:value2 - issuer_name += h + ":" + x509_issuer_name_hash(cert_ref, h); - if ( i != (|hash_algorithm| - 1)) - issuer_name += ","; - } + local issuer_name: Issuer_Name_Type; + issuer_name$sha1 = x509_issuer_name_hash(cert_ref, "sha1"); + issuer_name$sha224 = x509_issuer_name_hash(cert_ref, "sha224"); + issuer_name$sha256 = x509_issuer_name_hash(cert_ref, "sha256"); + issuer_name$sha384 = x509_issuer_name_hash(cert_ref, "sha384"); + issuer_name$sha512 = x509_issuer_name_hash(cert_ref, "sha512"); # if given index is not in record, create a new queue if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts ) @@ -354,10 +388,16 @@ function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue) function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { if ( http?$host ) - ocsp$host = http$host; + ocsp$ocsp_uri = http$host; if ( http?$uri ) - ocsp$uri = http$uri; + if ( ocsp?$ocsp_uri ) + ocsp$ocsp_uri += http$uri; + else + ocsp$ocsp_uri = http$uri; + + if ( ocsp?$ocsp_uri ) + ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri); if ( http?$status_code ) ocsp$http_code = http$status_code; @@ -529,11 +569,20 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) if ( ssl?$client_hello_ts ) ssl_rec$client_hello_ts = ssl$client_hello_ts; + if ( ssl?$client_first_encrypt_ts ) + ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts; + + if ( ssl?$server_hello_ts ) + ssl_rec$server_hello_ts = ssl$server_hello_ts; + if ( ssl?$establish_ts ) ssl_rec$establish_ts = ssl$establish_ts; - if ( ssl?$change_cipher_ts ) - ssl_rec$change_cipher_ts = ssl$change_cipher_ts; + if ( ssl?$client_change_cipher_ts ) + ssl_rec$client_change_cipher_ts = ssl$client_change_cipher_ts; + + if ( ssl?$server_change_cipher_ts ) + ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts; } # log SSL information when ssl connection is removed @@ -560,7 +609,7 @@ event connection_state_remove(c: connection) &priority= -20 { cert_recv_ts_str += fmt("%f",elem[i]); if ( i != (|elem| - 1)) - issuer_name += ","; + cert_recv_ts_str += ","; } ssl_info_rec$cert_recv_ts = cert_recv_ts_str; update_ssl_info(ssl_info_rec, c$ssl); From 01094bfc43545267ffff3679fbdac12656069777 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 00:40:39 -0700 Subject: [PATCH 019/288] add parsing ocsp request in get url --- scripts/base/files/ocsp/main.bro | 292 +++++++++++++----- src/file_analysis/analyzer/ocsp/OCSP.cc | 2 +- src/file_analysis/analyzer/ocsp/functions.bif | 34 +- 3 files changed, 253 insertions(+), 75 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 62a414d3cf..62d7d2e785 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -14,7 +14,7 @@ export { redef enum Log::ID += { LOG }; ## type for pending ocsp request - type PendingRequests: table[OCSP::CertId] of Queue::Queue; + type PendingQueue: table[OCSP::CertId] of Queue::Queue; ## NOTE: one file could contain several requests ## one ocsp request record @@ -22,7 +22,7 @@ export { ## time for the request ts: time; ## file id for this request - id: string &log; + id: string &log &optional; ## connection id cid: conn_id &optional; ## connection uid @@ -35,6 +35,8 @@ export { ## several ocsp requests ## request cert id certId: OCSP::CertId &optional; + ## HTTP method + method: string &optional; }; ## NOTE: one file could contain several response @@ -94,52 +96,68 @@ export { ## response resp: Info_resp &log &optional; + + ## HTTP method + method: string &log &optional; }; ## Event for accessing logged OCSP records. global log_ocsp: event(rec: Info); } -redef record connection += { - ## keep track of pending requests received so for - ocsp_requests: PendingRequests &optional; +redef record HTTP::Info += { + # there should be one request and response but use Queue here + # just in case + ocsp_requests: PendingQueue &optional; + ocsp_responses: PendingQueue &optional; + + current_content_type: string &optional &default=""; + original_uri: string &optional; + + # flag for checking get uri + checked_get: bool &optional &default=F; }; -event bro_init() &priority=5 +event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { - Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); + c$http$original_uri = original_URI; } -function get_http_info(f: fa_file, meta: fa_metadata) +event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) { - if (f$source != "HTTP" || !meta?$mime_type) + c$http$current_content_type = to_lower(ty + "/" + subty); + } + +function check_ocsp_file(f: fa_file, meta: fa_metadata) + { + if ( f$source != "HTTP" || ! f?$http ) return; # call OCSP file analyzer - if (meta$mime_type == "application/ocsp-request") + if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request") + { Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]); - else if (meta$mime_type == "application/ocsp-response") + } + else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response") + { Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]); + } } event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5 { if (f$source == "HTTP") - get_http_info(f, meta); + check_ocsp_file(f, meta); } -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 +function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) { - local conn: connection; - local cid: conn_id; - - # there should be only one loop: one connection - for (id in f$conns) - { - cid = id; - conn = f$conns[id]; - } + if ( http?$method ) + req_rec$method = http$method; + } +function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ts: time) + { if (req?$requestList) { for (x in req$requestList) @@ -149,47 +167,57 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) $issuerNameHash = one_req$issuerNameHash, $issuerKeyHash = one_req$issuerKeyHash, $serialNumber = one_req$serialNumber]; - - local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid]; - - if (req?$version) + local req_rec: OCSP::Info_req = [$ts = req_ts, + $certId = cert_id, + $cid = http$id, + $cuid = http$uid]; + if ( |file_id| > 0 && http$method != "GET" ) + req_rec$id = file_id; + + if ( req?$version ) req_rec$version = req$version; - if (req?$requestorName) + if ( req?$requestorName ) req_rec$requestorName = req$requestorName; - if (!conn?$ocsp_requests) - conn$ocsp_requests = table(); + if ( ! http?$ocsp_requests ) + http$ocsp_requests = table(); - if (cert_id !in conn$ocsp_requests) - conn$ocsp_requests[cert_id] = Queue::init(); + if ( cert_id !in http$ocsp_requests ) + http$ocsp_requests[cert_id] = Queue::init(); - Queue::put(conn$ocsp_requests[cert_id], req_rec); + update_http_info(http, req_rec); + Queue::put(http$ocsp_requests[cert_id], req_rec); } } else { # no request content? this is weird but log it anyway - local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid]; + local req_rec_empty: OCSP::Info_req = [$ts = req_ts, + $cid = http$id, + $cuid = http$uid]; + if ( |file_id| > 0 && http$method != "GET" ) + req_rec_empty$id = file_id; if (req?$version) req_rec_empty$version = req$version; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]); + update_http_info(http, req_rec_empty); + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method]); } + } + +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 + { + if ( ! f?$http ) + return; + enq_request(f$http, req, f$id, network_time()); } event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 { - local conn: connection; - local cid: conn_id; - - # there should be only one loop - for (id in f$conns) - { - cid = id; - conn = f$conns[id]; - } + if ( ! f?$http ) + return; if (resp?$responses) { @@ -200,8 +228,10 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $issuerNameHash = single_resp$issuerNameHash, $issuerKeyHash = single_resp$issuerKeyHash, $serialNumber = single_resp$serialNumber]; - local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, - $cid=conn$id, $cuid=conn$uid, + local resp_rec: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, @@ -213,56 +243,172 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if (single_resp?$nextUpdate) resp_rec$nextUpdate = single_resp$nextUpdate; - if (conn?$ocsp_requests && cert_id in conn$ocsp_requests) - { - # find a match - local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); - if (Queue::len(conn$ocsp_requests[cert_id]) == 0) - delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? - } - else - { - # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); - } + if ( ! f$http?$ocsp_responses ) + f$http$ocsp_responses = table(); + + if ( cert_id !in f$http$ocsp_responses ) + f$http$ocsp_responses[cert_id] = Queue::init(); + + Queue::put(f$http$ocsp_responses[cert_id], resp_rec); } } else { # no response content? this is weird but log it anyway - local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, - $cid=conn$id, $cuid=conn$uid, + local resp_rec_empty: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt]; - Log::write(LOG, [$ts=resp_rec_empty$ts, $resp_ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); + local info_rec: Info = [$ts = resp_rec_empty$ts, + $resp_ts = resp_rec_empty$ts, + $resp = resp_rec_empty, + $cid = f$http$id, + $cuid = f$http$uid]; + if ( f$http?$method ) + info_rec$method = f$http$method; + Log::write(LOG, info_rec); } } -function log_unmatched_msgs_queue(q: Queue::Queue) +function log_unmatched_reqs_queue(q: Queue::Queue) { local reqs: vector of Info_req; Queue::get_vector(q, reqs); - for ( i in reqs ) - Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]); + { + local info_rec: Info = [$ts = reqs[i]$ts, + $certId = reqs[i]$certId, + $req = reqs[i], + $cid = reqs[i]$cid, + $cuid = reqs[i]$cuid]; + if ( reqs[i]?$method ) + info_rec$method = reqs[i]$method; + Log::write(LOG, info_rec); + } } -function log_unmatched_msgs(msgs: PendingRequests) +function log_unmatched_reqs(reqs: PendingQueue) { - for ( cert_id in msgs ) - log_unmatched_msgs_queue(msgs[cert_id]); - - clear_table(msgs); + for ( cert_id in reqs ) + log_unmatched_reqs_queue(reqs[cert_id]); + clear_table(reqs); } -# need to log unmatched ocsp request if any -event connection_state_remove(c: connection) &priority= -5 +function remove_first_slash(s: string): string { - if (! c?$ocsp_requests) + local s_len = |s|; + if (s[0] == "/") + return s[1:s_len]; + else + return s; + } + +function get_uri_prefix(s: string): string + { + s = remove_first_slash(s); + local w = split_string(s, /\//); + if (|w| > 1) + return w[0]; + else + return ""; + } + +function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request + { + local parsed_req: OCSP::Request; + if ( ! http?$original_uri ) + return parsed_req;; + + local uri: string = remove_first_slash(http$uri); + local uri_prefix: string = get_uri_prefix(http$original_uri); + local ocsp_req_str: string; + + if ( |uri_prefix| == 0 ) + { + ocsp_req_str = uri; + } + else if (|uri_prefix| > 0) + { + uri_prefix += "/"; + ocsp_req_str = uri[|uri_prefix|:]; + } + parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + return parsed_req; + } + +function start_log_ocsp(http: HTTP::Info) + { + if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) return; - log_unmatched_msgs(c$ocsp_requests); + + if ( ! http?$ocsp_responses ) + { + log_unmatched_reqs(http$ocsp_requests); + return; + } + + for ( cert_id in http$ocsp_responses ) + { + while ( Queue::len(http$ocsp_responses[cert_id]) != 0 ) + { + # have unmatched responses + local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]); + local info_rec: Info = [$ts = resp_rec$ts, + $certId = resp_rec$certId, + $resp_ts = resp_rec$ts, + $resp = resp_rec, + $cid = http$id, + $cuid = http$uid, + $method = http$method]; + + if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) + { + # find a match + local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]); + info_rec$req = req_rec; + info_rec$ts = req_rec$ts; + if (Queue::len(http$ocsp_requests[cert_id]) == 0) + delete http$ocsp_requests[cert_id]; + } + else + { + if ( http$method == "GET" && ! http$checked_get ) + { + http$checked_get = T; + local req_get: OCSP::Request = check_ocsp_request_uri(http); + enq_request(http, req_get, "", http$ts); + if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) + { + # find a match + local req_rec_tmp: Info_req = Queue::get(http$ocsp_requests[cert_id]); + info_rec$req = req_rec_tmp; + info_rec$ts = req_rec_tmp$ts; + if (Queue::len(http$ocsp_requests[cert_id]) == 0) + delete http$ocsp_requests[cert_id]; + } + } + } + Log::write(LOG, info_rec); + } + if ( Queue::len(http$ocsp_responses[cert_id]) == 0 ) + delete http$ocsp_responses[cert_id]; + } + if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) + log_unmatched_reqs(http$ocsp_requests); + } + +# log OCSP information +event HTTP::log_http(rec: HTTP::Info) + { + start_log_ocsp(rec); + } + +event bro_init() &priority=5 + { + Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); } diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index d49d8d4beb..d0b1a62f90 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -373,7 +373,7 @@ RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) { len = -1; len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName)); - if (len > 1) + if (len > 0) ocsp_req_record->Assign(1, new StringVal(len, buf)); } diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/ocsp/functions.bif index 19d9ac1cb5..164b4a63ec 100644 --- a/src/file_analysis/analyzer/ocsp/functions.bif +++ b/src/file_analysis/analyzer/ocsp/functions.bif @@ -9,7 +9,7 @@ ## ## Returns: A OCSP::Response structure. ## -## .. bro:see:: ssl_stapled_ocsp +## .. bro:see:: ssl_stapled_ocsp ocsp_parse_request function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response %{ const unsigned char* start = ocsp_reply->Bytes(); @@ -34,3 +34,35 @@ function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response //Unref(resp_record); return resp_record; %} + +## Parses a OCSP request into an OCSP::Request structure. +## +## ocsp_req: OCSP data. +## +## Returns: A OCSP::Request structure. +## +## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response +function ocsp_parse_request%(ocsp_req: string%): OCSP::Request + %{ + const unsigned char* start = ocsp_req->Bytes(); + OCSP_REQUEST *req = NULL; + file_analysis::OCSP_REQVal* req_val = NULL; + RecordVal* req_record = NULL; + req = d2i_OCSP_REQUEST(NULL, &start, ocsp_req->Len()); + if ( ! req ) + { + reporter->Weird("OPENSSL Could not parse OCSP request"); + return NULL; + } + req_val = new file_analysis::OCSP_REQVal(req); + req_record = file_analysis::OCSP::ParseRequest(req_val); + if (!req_record) + { + reporter->Weird("Internal fail to parse OCSP request"); + Unref(req_val); + return NULL; + } + Unref(req_val); + //Unref(req_record); + return req_record; + %} From c2f1c428f0b460923d27df5f2134dd6bb10e68fc Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 01:06:12 -0700 Subject: [PATCH 020/288] fix a bug and update baseline --- scripts/base/files/ocsp/main.bro | 7 ++++--- .../ocsp.log | 10 +++++----- .../ocsp.log | 10 +++++----- .../ocsp.log | 10 +++++----- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 62d7d2e785..f567b7fb8a 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -363,8 +363,7 @@ function start_log_ocsp(http: HTTP::Info) $resp_ts = resp_rec$ts, $resp = resp_rec, $cid = http$id, - $cuid = http$uid, - $method = http$method]; + $cuid = http$uid]; if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) { @@ -377,7 +376,7 @@ function start_log_ocsp(http: HTTP::Info) } else { - if ( http$method == "GET" && ! http$checked_get ) + if ( http?$method && http$method == "GET" && ! http$checked_get ) { http$checked_get = T; local req_get: OCSP::Request = check_ocsp_request_uri(http); @@ -393,6 +392,8 @@ function start_log_ocsp(http: HTTP::Info) } } } + if ( http?$method ) + info_rec$method = http$method; Log::write(LOG, info_rec); } if ( Queue::len(http$ocsp_responses[cert_id]) == 0 ) diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 3ac21e3f22..555d7436f1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-06-23-03-35 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time addr port addr port string string string string string string count string time string string string count string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - -#close 2015-07-06-23-03-35 +#open 2015-07-15-07-54-54 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - POST +#close 2015-07-15-07-54-54 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index 53c2b598d5..a57882aa1c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-06-23-05-10 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time addr port addr port string string string string string string count string time string string string count string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-06-23-05-10 +#open 2015-07-15-07-55-45 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z POST +#close 2015-07-15-07-55-45 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index 4889fdc434..d4c551027e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-06-23-05-43 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time addr port addr port string string string string string string count string time string string string count string string string string string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-06-23-05-43 +#open 2015-07-15-08-02-35 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z - +#close 2015-07-15-08-02-35 From fc35ab9bf5b78f088a795f35c01e54ec82c01b84 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 01:30:46 -0700 Subject: [PATCH 021/288] add a btest for ocsp http get --- .../ocsp.log | 10 ++++++++++ testing/btest/Traces/tls/ocsp-http-get.pcap | Bin 0 -> 1812 bytes .../base/protocols/ssl/ocsp-http-get.test | 4 ++++ 3 files changed, 14 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log create mode 100644 testing/btest/Traces/tls/ocsp-http-get.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log new file mode 100644 index 0000000000..8ceb5e9770 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-07-15-08-22-46 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 - 0 - 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z good 20150711011056Z 20150718011056Z GET +#close 2015-07-15-08-22-46 diff --git a/testing/btest/Traces/tls/ocsp-http-get.pcap b/testing/btest/Traces/tls/ocsp-http-get.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e264d59f2b0ed64290cd7fc9c43d68c23bbb0eae GIT binary patch literal 1812 zcmaKs4@?tx6vyvMTeVt6M;PGTZetk!mEJ*H%OOgEwty6nwtojY{9uL=!|69Ow_nd-S1ZdPIPPfOMdt6 z-RHgEd*9zX|Hb}6879Xb{Nxx8A9i%V<8+qEu?o0H3tQTIbz5|+&~R#D=WNW3Vat=p zi?AZ)@%m$Xl);Piv7FH%tVZrybR9Vl$i(@e`r7tli_L6XzuIA{DE2wUQlG8F>T{Zkiydt`tEl(8c<;LU zl4g5tU>#@)QdY*FmRsClTJ5w;q}AdN8}ow<z9ITwp$Qb#^aV4p3_E`ZNDY-gMTX)4{E zFYNXKngE=}Y0m~+%t1fxVCFo$m*IRg;cI7vY{CoHvTg~eRV6&f0S^jG69E7Ojhkg! zpMgjtB7^aN?7^#+>CC9F1wT4jz1ux%llr~_W;r~fZMI}lreNE0YV<75mk z5Fcby2{@nRrwN@QPpzug)Z6Wv8j+W#>JG&ehjh{uk!y^ac_M3~3>c)GgDY2UY?i2M-*J z%6rgT+%O8C@J+3>LHL-$uFC%=Xul&;9+pA>WXxGT1(!X=76aU;} z`rttNjd_OMs=4>`WR9IZKR#p4I-53pVTc*gZdv~B^UXco1K$<>wrj`zy<4ls#yd`b zd`5G2Ueet)eLY*egJ0dNyqG);GM_ri22Mv8I@3ITV=pz0zOr)O#z1n1>)JPM;lsC^ zGFEus+P7iz>Pz`Wul@Dpf+rTI?`d@1db8=wBOV=$o;Nbded|E*(Lh$ z&-PT-|%(>y53t`a`{)CkKZ=+jVJqRlitR`Kn{&-0Ry*%3qlH{HJqbVSeh# z-G@7`b)Dzlu9B{_(RX^$O{;@9?SH2Jud%7W=HVHg5be0o-2$inAI&|}GkPVuzyAQq CCRr%} literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test new file mode 100644 index 0000000000..10ccc80c63 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -0,0 +1,4 @@ +# This tests a normal OCSP request sent through HTTP GET + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT +# @TEST-EXEC: btest-diff ocsp.log From fb757d96a6724f199d9d194148c331ba51c8145a Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 10:39:46 -0700 Subject: [PATCH 022/288] clean up ocsp/main.bro --- scripts/base/files/ocsp/main.bro | 110 ++++++++++++++----------------- 1 file changed, 50 insertions(+), 60 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index f567b7fb8a..6c23bb2de9 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -214,6 +214,48 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) enq_request(f$http, req, f$id, network_time()); } +function remove_first_slash(s: string): string + { + local s_len = |s|; + if (s[0] == "/") + return s[1:s_len]; + else + return s; + } + +function get_uri_prefix(s: string): string + { + s = remove_first_slash(s); + local w = split_string(s, /\//); + if (|w| > 1) + return w[0]; + else + return ""; + } + +function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request + { + local parsed_req: OCSP::Request; + if ( ! http?$original_uri ) + return parsed_req;; + + local uri: string = remove_first_slash(http$uri); + local uri_prefix: string = get_uri_prefix(http$original_uri); + local ocsp_req_str: string; + + if ( |uri_prefix| == 0 ) + { + ocsp_req_str = uri; + } + else if (|uri_prefix| > 0) + { + uri_prefix += "/"; + ocsp_req_str = uri[|uri_prefix|:]; + } + parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + return parsed_req; + } + event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 { if ( ! f?$http ) @@ -273,6 +315,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo info_rec$method = f$http$method; Log::write(LOG, info_rec); } + + # check if there is a OCSP GET request + if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get ) + { + f$http$checked_get = T; + local req_get: OCSP::Request = check_ocsp_request_uri(f$http); + enq_request(f$http, req_get, "", f$http$ts); + } } function log_unmatched_reqs_queue(q: Queue::Queue) @@ -299,48 +349,6 @@ function log_unmatched_reqs(reqs: PendingQueue) clear_table(reqs); } -function remove_first_slash(s: string): string - { - local s_len = |s|; - if (s[0] == "/") - return s[1:s_len]; - else - return s; - } - -function get_uri_prefix(s: string): string - { - s = remove_first_slash(s); - local w = split_string(s, /\//); - if (|w| > 1) - return w[0]; - else - return ""; - } - -function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request - { - local parsed_req: OCSP::Request; - if ( ! http?$original_uri ) - return parsed_req;; - - local uri: string = remove_first_slash(http$uri); - local uri_prefix: string = get_uri_prefix(http$original_uri); - local ocsp_req_str: string; - - if ( |uri_prefix| == 0 ) - { - ocsp_req_str = uri; - } - else if (|uri_prefix| > 0) - { - uri_prefix += "/"; - ocsp_req_str = uri[|uri_prefix|:]; - } - parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); - return parsed_req; - } - function start_log_ocsp(http: HTTP::Info) { if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) @@ -374,24 +382,6 @@ function start_log_ocsp(http: HTTP::Info) if (Queue::len(http$ocsp_requests[cert_id]) == 0) delete http$ocsp_requests[cert_id]; } - else - { - if ( http?$method && http$method == "GET" && ! http$checked_get ) - { - http$checked_get = T; - local req_get: OCSP::Request = check_ocsp_request_uri(http); - enq_request(http, req_get, "", http$ts); - if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) - { - # find a match - local req_rec_tmp: Info_req = Queue::get(http$ocsp_requests[cert_id]); - info_rec$req = req_rec_tmp; - info_rec$ts = req_rec_tmp$ts; - if (Queue::len(http$ocsp_requests[cert_id]) == 0) - delete http$ocsp_requests[cert_id]; - } - } - } if ( http?$method ) info_rec$method = http$method; Log::write(LOG, info_rec); From f0c642cd25550a6d8dcd4bad82662e4f36a1c475 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 13:31:41 -0700 Subject: [PATCH 023/288] update logging for ocsp and baseline --- scripts/base/files/ocsp/main.bro | 63 +++-- .../policy/protocols/ssl/ocsp-ssl-split.bro | 243 +++--------------- .../ocsp.log | 10 +- .../ocsp.log | 10 +- .../ocsp.log | 10 +- 5 files changed, 98 insertions(+), 238 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 6c23bb2de9..39b4671bb9 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -21,7 +21,8 @@ export { type Info_req: record { ## time for the request ts: time; - ## file id for this request + ## file id for this request or + ## hash of the GET url if it's GET request id: string &log &optional; ## connection id cid: conn_id &optional; @@ -31,8 +32,14 @@ export { version: count &log &optional; ## requestor name requestorName: string &log &optional; + ## NOTE: the above are for one file which may contain ## several ocsp requests + + ## one OCSP request may contain several OCSP requests + ## with different cert id; this is the index of the + ## OCSP request with cert_id in the big OCSP request + index: count &log &optional; ## request cert id certId: OCSP::CertId &optional; ## HTTP method @@ -64,6 +71,11 @@ export { ## NOTE: the following are specific to one cert id ## the above are for one file which may contain ## several responses + + ## one OCSP response may contain several OCSP responses + ## with different cert id; this is the index of the + ## OCSP response with cert_id in the big OCSP response + index: count &log &optional; ##cert id certId: OCSP::CertId &optional; ## certStatus (this is the response to look at) @@ -99,10 +111,15 @@ export { ## HTTP method method: string &log &optional; + + ## HTTP record + http: HTTP::Info &optional; }; ## Event for accessing logged OCSP records. global log_ocsp: event(rec: Info); + + global get_uri_prefix: function(s: string): string; } redef record HTTP::Info += { @@ -156,10 +173,12 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) req_rec$method = http$method; } -function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ts: time) +function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) { + local index: count = 0; if (req?$requestList) { + index += 1; for (x in req$requestList) { local one_req = req$requestList[x]; @@ -170,10 +189,10 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ local req_rec: OCSP::Info_req = [$ts = req_ts, $certId = cert_id, $cid = http$id, - $cuid = http$uid]; - if ( |file_id| > 0 && http$method != "GET" ) - req_rec$id = file_id; - + $cuid = http$uid, + $index = index, + $id = req_id]; + if ( req?$version ) req_rec$version = req$version; @@ -195,15 +214,14 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ # no request content? this is weird but log it anyway local req_rec_empty: OCSP::Info_req = [$ts = req_ts, $cid = http$id, - $cuid = http$uid]; - if ( |file_id| > 0 && http$method != "GET" ) - req_rec_empty$id = file_id; + $cuid = http$uid, + $id = req_id]; if (req?$version) req_rec_empty$version = req$version; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; update_http_info(http, req_rec_empty); - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method]); + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); } } @@ -263,8 +281,10 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if (resp?$responses) { + local index: count = 0; for (x in resp$responses) { + index += 1; local single_resp: OCSP::SingleResp = resp$responses[x]; local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, $issuerNameHash = single_resp$issuerNameHash, @@ -279,6 +299,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt, + $index = index, $certId = cert_id, $certStatus = single_resp$certStatus, $thisUpdate = single_resp$thisUpdate]; @@ -310,7 +331,8 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $resp_ts = resp_rec_empty$ts, $resp = resp_rec_empty, $cid = f$http$id, - $cuid = f$http$uid]; + $cuid = f$http$uid, + $http = f$http]; if ( f$http?$method ) info_rec$method = f$http$method; Log::write(LOG, info_rec); @@ -321,11 +343,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { f$http$checked_get = T; local req_get: OCSP::Request = check_ocsp_request_uri(f$http); - enq_request(f$http, req_get, "", f$http$ts); + enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts); } } -function log_unmatched_reqs_queue(q: Queue::Queue) +function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info) { local reqs: vector of Info_req; Queue::get_vector(q, reqs); @@ -335,17 +357,19 @@ function log_unmatched_reqs_queue(q: Queue::Queue) $certId = reqs[i]$certId, $req = reqs[i], $cid = reqs[i]$cid, - $cuid = reqs[i]$cuid]; + $cuid = reqs[i]$cuid, + $http = http]; if ( reqs[i]?$method ) info_rec$method = reqs[i]$method; Log::write(LOG, info_rec); } } -function log_unmatched_reqs(reqs: PendingQueue) +function log_unmatched_reqs(http: HTTP::Info) { + local reqs: PendingQueue = http$ocsp_requests; for ( cert_id in reqs ) - log_unmatched_reqs_queue(reqs[cert_id]); + log_unmatched_reqs_queue(reqs[cert_id], http); clear_table(reqs); } @@ -356,7 +380,7 @@ function start_log_ocsp(http: HTTP::Info) if ( ! http?$ocsp_responses ) { - log_unmatched_reqs(http$ocsp_requests); + log_unmatched_reqs(http); return; } @@ -371,7 +395,8 @@ function start_log_ocsp(http: HTTP::Info) $resp_ts = resp_rec$ts, $resp = resp_rec, $cid = http$id, - $cuid = http$uid]; + $cuid = http$uid, + $http = http]; if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) { @@ -390,7 +415,7 @@ function start_log_ocsp(http: HTTP::Info) delete http$ocsp_responses[cert_id]; } if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) - log_unmatched_reqs(http$ocsp_requests); + log_unmatched_reqs(http); } # log OCSP information diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index d292697a69..4594c55cfc 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -13,31 +13,12 @@ export { redef enum Log::ID += { LOG_OCSP }; redef enum Log::ID += { LOG_SSL }; - type PendingRequests: table[OCSP::CertId] of Queue::Queue; - - type OCSP_Request_Type: record { - ts: time; - fuid: string; - req: OCSP::Request; - }; - - type OCSP_Response_Type: record { - ts: time; - fuid: string; - resp: OCSP::Response; - }; - type Info_OCSP: record { ## cert id for the OCSP request cert_id: OCSP::CertId &log &optional; ## request timestamp req_ts: time &log &optional; - - ## one OCSP request may contain several OCSP requests - ## with different cert id; this is the index of the - ## OCSP request with cert_id in the big OCSP request - req_index: count &log &optional; ## request ## NOTE: this is only one request if multiple requests @@ -48,11 +29,6 @@ export { ## response timestamp resp_ts: time &log &optional; - ## one OCSP response may contain several OCSP responses - ## with different cert id; this is the index of the - ## OCSP response with cert_id in the big OCSP response - resp_index: count &log &optional; - ## response ## NOTE: similar to request, if multiple responses are ## sent together in one HTTP message, they will be @@ -86,8 +62,12 @@ export { ## the HTTP code in the HTTP response http_code: count &log &optional; + ## HTTP method + method: string &log &optional; + ## host in HTTP request + uri in HTTP request ## last '/' is removed + ## for GET request, OCSP request is remove from url ocsp_uri: string &log &optional; ## number of HTTP requests containing ocsp requests in @@ -168,12 +148,6 @@ redef record HTTP::Info += { request_header_len: count &optional &default=0; response_header_len: count &optional &default=0; - ## OCSP_Request_Type - ocsp_requests: vector of OCSP_Request_Type &optional; - - ## OCSP_Response_Type - ocsp_responses: vector of OCSP_Response_Type &optional; - ## connection start time, copied from connection conn_start_ts: time &optional; @@ -242,32 +216,6 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) c$http$conn_start_ts = c$start_time; } -# add ocsp request to http record -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) - { - if ( ! f?$http ) - return; - local request: OCSP_Request_Type = [$ts = network_time(), - $fuid = f$id, - $req = req]; - if ( ! f$http?$ocsp_requests ) - f$http$ocsp_requests = vector(); - f$http$ocsp_requests[|f$http$ocsp_requests|] = request; - } - -# add ocsp response to http record -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) - { - if ( ! f?$http ) - return; - local response: OCSP_Response_Type = [$ts = network_time(), - $fuid = f$id, - $resp = resp]; - if ( ! f$http?$ocsp_responses ) - f$http$ocsp_responses = vector(); - f$http$ocsp_responses[|f$http$ocsp_responses|] = response; - } - # add server hello time event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 { @@ -367,26 +315,14 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); } -# log unmatched ocsp request or response -function log_unmatched_ocsp_queue (q: Queue::Queue) - { - local rec: vector of OCSP_SSL_SPLIT::Info_OCSP; - Queue::get_vector(q, rec); - for ( i in rec ) - Log::write(LOG_OCSP, rec[i]); - } - -# log unmatched ocsp request or response -function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue) - { - for ( cert_id in ocsp ) - log_unmatched_ocsp_queue(ocsp[cert_id]); - clear_table(ocsp); - } - -# update http data in ocsp info record function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { + if ( http?$num_ocsp ) + ocsp$num_ocsp = http$num_ocsp; + + if ( http?$method ) + ocsp$method = http$method; + if ( http?$host ) ocsp$ocsp_uri = http$host; @@ -396,9 +332,18 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) else ocsp$ocsp_uri = http$uri; + if ( http?$method && http$method == "GET" && http?$original_uri ) + { + local uri_prefix: string = OCSP::get_uri_prefix(http$original_uri); + if ( http?$host ) + ocsp$ocsp_uri = http$host; + if ( |uri_prefix| > 0) + ocsp$ocsp_uri += "/" + uri_prefix; + } + if ( ocsp?$ocsp_uri ) ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri); - + if ( http?$status_code ) ocsp$http_code = http$status_code; @@ -415,147 +360,37 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) ocsp$resp_hdr_size = http$response_header_len; } -# get all the ocsp requests -function get_ocsp_requests(http: HTTP::Info): PendingRequests +function start_log_ocsp(rec: OCSP::Info) { - local pending_ocsp_requests: PendingRequests = table(); + local http: HTTP::Info = rec$http; + local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, + $cuid = http$uid, + $conn_start_ts = http$conn_start_ts]; - if ( ! http?$ocsp_requests ) - return pending_ocsp_requests; - - for ( x in http$ocsp_requests ) + if ( rec?$certId ) + info_ocsp_rec$cert_id = rec$certId; + + if ( rec?$req ) { - local request: OCSP_Request_Type = http$ocsp_requests[x]; - if ( ! request?$req ) - next; - - local req: OCSP::Request = request$req; - if ( ! req?$requestList ) - next; - - local req_index: count = 0; - for ( y in req$requestList ) - { - req_index += 1; - local one_req = req$requestList[y]; - local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, - $issuerNameHash = one_req$issuerNameHash, - $issuerKeyHash = one_req$issuerKeyHash, - $serialNumber = one_req$serialNumber]; - - local req_rec: OCSP::Info_req = [$ts=request$ts, $id=request$fuid, $certId=cert_id]; - - if (req?$version) - req_rec$version = req$version; - - if (req?$requestorName) - req_rec$requestorName = req$requestorName; - - local ocsp_info_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, - $req_ts = request$ts, - $req_index = req_index, - $req = req_rec, - $cid = http$id, - $cuid = http$uid, - $conn_start_ts = http$conn_start_ts, - $num_ocsp = http$num_ocsp]; - update_http_info(ocsp_info_rec, http); - - if ( cert_id !in pending_ocsp_requests ) - pending_ocsp_requests[cert_id] = Queue::init(); - - Queue::put(pending_ocsp_requests[cert_id], ocsp_info_rec); - } + info_ocsp_rec$req = rec$req; + info_ocsp_rec$req_ts = rec$req$ts; } - return pending_ocsp_requests; - } -# log OCSP -function start_log_ocsp(http: HTTP::Info) - { - if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) - return; - - local pending_ocsp_requests: PendingRequests = get_ocsp_requests(http); - - if ( ! http?$ocsp_responses ) + if ( rec?$resp ) { - log_unmatched_ocsp(pending_ocsp_requests); - return; + info_ocsp_rec$resp = rec$resp; + info_ocsp_rec$resp_ts = rec$resp$ts; } - - for ( x in http$ocsp_responses ) - { - local response: OCSP_Response_Type = http$ocsp_responses[x]; - if ( ! response?$resp ) - next; - local resp: OCSP::Response = response$resp; - if ( ! resp?$responses ) - next; + if ( rec?$req && rec?$resp ) + info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts; - local resp_index: count = 0; - for ( y in resp$responses ) - { - resp_index += 1; - local single_resp: OCSP::SingleResp = resp$responses[y]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - - local resp_rec: OCSP::Info_resp = [$ts = response$ts, - $id = response$fuid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - if ( single_resp?$nextUpdate ) - resp_rec$nextUpdate = single_resp$nextUpdate; - - if ( cert_id in pending_ocsp_requests) - { - # find a match - local ocsp_info: OCSP_SSL_SPLIT::Info_OCSP = Queue::get(pending_ocsp_requests[cert_id]); - ocsp_info$resp = resp_rec; - ocsp_info$resp_ts = response$ts; - ocsp_info$resp_index = resp_index; - - # update http info, previously filled in fill_ocsp_request - update_http_info(ocsp_info, http); - - ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; - - if (Queue::len(pending_ocsp_requests[cert_id]) == 0) - delete pending_ocsp_requests[cert_id]; - - Log::write(LOG_OCSP, ocsp_info); - } - else - { - local ocsp_info_noreq: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, - $resp_ts = resp_rec$ts, - $resp_index = resp_index, - $resp = resp_rec, - $cid = http$id, - $cuid = http$uid, - $conn_start_ts = http$conn_start_ts, - $num_ocsp = http$num_ocsp]; - update_http_info(ocsp_info_noreq, http); - Log::write(LOG_OCSP, ocsp_info_noreq); - } - } - } - if ( |pending_ocsp_requests| != 0 ) - log_unmatched_ocsp(pending_ocsp_requests); + update_http_info(info_ocsp_rec, http); + Log::write(LOG_OCSP, info_ocsp_rec); } # log OCSP information -event HTTP::log_http(rec: HTTP::Info) +event OCSP::log_ocsp(rec: OCSP::Info) { start_log_ocsp(rec); } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 555d7436f1..1cb587ca17 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-07-54-54 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - POST -#close 2015-07-15-07-54-54 +#open 2015-07-15-20-25-27 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST +#close 2015-07-15-20-25-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index a57882aa1c..881f614583 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-07-55-45 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z POST -#close 2015-07-15-07-55-45 +#open 2015-07-15-20-24-10 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z POST +#close 2015-07-15-20-24-11 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index d4c551027e..4027016f1d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-08-02-35 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z - -#close 2015-07-15-08-02-35 +#open 2015-07-15-20-26-35 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z - +#close 2015-07-15-20-26-36 From 00a0313967b71ac496e468fac84c89d51b987749 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 18:10:05 -0700 Subject: [PATCH 024/288] fix a bug for parsing OCSP Get request --- scripts/base/files/ocsp/main.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 39b4671bb9..b605374d51 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -236,7 +236,7 @@ function remove_first_slash(s: string): string { local s_len = |s|; if (s[0] == "/") - return s[1:s_len]; + return remove_first_slash(s[1:s_len]); else return s; } From cb0aa7725ee2e3b131305b3777b29bf8b2ad894d Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 18:20:57 -0700 Subject: [PATCH 025/288] fix a few bug for logging --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 59 ++++++++++++------- .../ocsp.log | 10 ++-- 2 files changed, 44 insertions(+), 25 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 4594c55cfc..2862a96dfb 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -148,11 +148,8 @@ redef record HTTP::Info += { request_header_len: count &optional &default=0; response_header_len: count &optional &default=0; - ## connection start time, copied from connection - conn_start_ts: time &optional; - - ## number of OCSP requests so far, copied from connection - num_ocsp: count &optional; + ## connection used to get num_ocsp and connection start time + conn: connection &optional; }; # add additional information to ssl info @@ -196,24 +193,47 @@ function clean_uri(s: string): string return s; } -# record the header length and update num_ocsp and conn_start_ts +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) + { + if ( ! f?$http ) + return; + # check if there is a OCSP GET request + if ( f$http?$method && f$http$method == "GET" ) + f$http$conn$num_ocsp += 1; + } + +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) + { + if ( ! f?$http ) + return; + f$http$conn$num_ocsp += 1; + } + +event http_reply (c: connection, version: string, code: count, reason: string) + { + if ( ! c?$http ) + return; + if ( ! c$http?$conn ) + c$http$conn = c; + } + +event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) + { + if ( ! c?$http ) + return; + if ( ! c$http?$conn ) + c$http$conn = c; + } + +# record the header length event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) { - # proceed only this http connection has ocsp request or response - if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses ) - return; - + if ( ! c?$http ) + return; if ( is_orig ) - { c$http$request_header_len = stat$header_length; - c$num_ocsp += 1; - } else - { c$http$response_header_len = stat$header_length; - } - c$http$num_ocsp = c$num_ocsp; - c$http$conn_start_ts = c$start_time; } # add server hello time @@ -317,8 +337,7 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { - if ( http?$num_ocsp ) - ocsp$num_ocsp = http$num_ocsp; + ocsp$num_ocsp = http$conn$num_ocsp; if ( http?$method ) ocsp$method = http$method; @@ -365,7 +384,7 @@ function start_log_ocsp(rec: OCSP::Info) local http: HTTP::Info = rec$http; local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, $cuid = http$uid, - $conn_start_ts = http$conn_start_ts]; + $conn_start_ts = http$conn$start_time]; if ( rec?$certId ) info_ocsp_rec$cert_id = rec$certId; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index 8ceb5e9770..692581c871 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-08-22-46 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 - 0 - 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z good 20150711011056Z 20150718011056Z GET -#close 2015-07-15-08-22-46 +#open 2015-07-15-20-38-15 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z 1 good 20150711011056Z 20150718011056Z GET +#close 2015-07-15-20-38-15 From d20925f230bf9ced2f167af9c3fb030db5277cee Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 19:07:13 -0700 Subject: [PATCH 026/288] make parsing GET url more robust --- scripts/base/files/ocsp/main.bro | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index b605374d51..d93ee7a673 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -232,6 +232,15 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) enq_request(f$http, req, f$id, network_time()); } +function get_first_slash(s: string): string + { + local s_len = |s|; + if (s[0] == "/") + return "/" + get_first_slash(s[1:s_len]); + else + return ""; + } + function remove_first_slash(s: string): string { local s_len = |s|; @@ -243,12 +252,11 @@ function remove_first_slash(s: string): string function get_uri_prefix(s: string): string { - s = remove_first_slash(s); - local w = split_string(s, /\//); + local uri_prefix = get_first_slash(s); + local w = split_string(s[|uri_prefix|:], /\//); if (|w| > 1) - return w[0]; - else - return ""; + uri_prefix += w[0] + "/"; + return uri_prefix; } function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request @@ -256,20 +264,8 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request local parsed_req: OCSP::Request; if ( ! http?$original_uri ) return parsed_req;; - - local uri: string = remove_first_slash(http$uri); local uri_prefix: string = get_uri_prefix(http$original_uri); - local ocsp_req_str: string; - - if ( |uri_prefix| == 0 ) - { - ocsp_req_str = uri; - } - else if (|uri_prefix| > 0) - { - uri_prefix += "/"; - ocsp_req_str = uri[|uri_prefix|:]; - } + local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); return parsed_req; } From 569e637eb15b737f7622f81f050ba356c6f4eef5 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 19:31:58 -0700 Subject: [PATCH 027/288] small changes for parsing GET url --- scripts/base/files/ocsp/main.bro | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index d93ee7a673..020ba096cf 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -254,8 +254,12 @@ function get_uri_prefix(s: string): string { local uri_prefix = get_first_slash(s); local w = split_string(s[|uri_prefix|:], /\//); - if (|w| > 1) - uri_prefix += w[0] + "/"; + local i = 0; + while ( i < (|w| - 1) ) + { + uri_prefix += w[i] + "/"; + i += 1; + } return uri_prefix; } From 6c9b49a5d7e6eb7116afb45c1f0a6bc90baeac0f Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 17 Jul 2015 16:00:18 -0700 Subject: [PATCH 028/288] fix a bug for ocsp-ssl-split.bro --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 2862a96dfb..2dee529cf1 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -439,6 +439,21 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts; } +# convert all the elements in the queue to a formatted string +function convert_time_q2str(q: Queue::Queue, sep: string): string + { + local s = ""; + local elem: vector of time = vector(); + Queue::get_vector(q, elem); + for ( i in elem ) + { + s += fmt("%f",elem[i]); + if ( i != (|elem| - 1)) + s += sep; + } + return s; + } + # log SSL information when ssl connection is removed event connection_state_remove(c: connection) &priority= -20 { @@ -450,22 +465,12 @@ event connection_state_remove(c: connection) &priority= -20 local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id = c$id, $uid = c$uid, $end_ts = network_time()]; - ssl_info_rec$ocsp_uri = ocsp_uri; ssl_info_rec$serial_number = serial_number; ssl_info_rec$issuer_name = issuer_name; - - # convert all the elements in the queue to a formatted string - local cert_recv_ts_str: string = ""; - local elem: vector of time; - Queue::get_vector(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], elem); - for ( i in elem ) - { - cert_recv_ts_str += fmt("%f",elem[i]); - if ( i != (|elem| - 1)) - cert_recv_ts_str += ","; - } - ssl_info_rec$cert_recv_ts = cert_recv_ts_str; + local cert_recv_ts_str:string = convert_time_q2str(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], ","); + if (|cert_recv_ts_str| > 0) + ssl_info_rec$cert_recv_ts = cert_recv_ts_str; update_ssl_info(ssl_info_rec, c$ssl); Log::write(LOG_SSL, ssl_info_rec); #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; From 0c3b03ac8da95edbf730611b17c2886565573be5 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sat, 18 Jul 2015 01:06:31 -0700 Subject: [PATCH 029/288] log original uri and fix GET url parsing --- scripts/base/files/ocsp/main.bro | 18 ++++++++++++++++-- .../policy/protocols/ssl/ocsp-ssl-split.bro | 6 ++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 020ba096cf..551322b4bc 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -176,7 +176,7 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) { local index: count = 0; - if (req?$requestList) + if ( req?$requestList && |req$requestList| > 0 ) { index += 1; for (x in req$requestList) @@ -271,6 +271,20 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request local uri_prefix: string = get_uri_prefix(http$original_uri); local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) + { + # normal parse fails, bug url, natively try each part + local w = split_string(http$original_uri, /\//); + local s = ""; + for ( i in w ) + { + s += "/" + w[i]; + ocsp_req_str = http$uri[|s|:]; + parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) + break; + } + } return parsed_req; } @@ -279,7 +293,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if ( ! f?$http ) return; - if (resp?$responses) + if ( resp?$responses && |resp$responses| > 0 ) { local index: count = 0; for (x in resp$responses) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 2dee529cf1..69bffb19ed 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -76,6 +76,9 @@ export { ## HTTP request may contain several OCSP requests; ## this is copied from connection num_ocsp: count &log &optional; + + ## the original_uri in HTTP request + original_uri: string &log &optional; }; type Issuer_Name_Type: record { @@ -342,6 +345,9 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$method ) ocsp$method = http$method; + if ( http?$original_uri ) + ocsp$original_uri = http$original_uri; + if ( http?$host ) ocsp$ocsp_uri = http$host; From 4e8d15d8d19f82e04f2cffb48e9fcc976efe1950 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sat, 18 Jul 2015 01:53:28 -0700 Subject: [PATCH 030/288] small bug fix --- scripts/base/files/ocsp/main.bro | 7 +++++++ scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 9 +++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 551322b4bc..80fd356f29 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -133,6 +133,9 @@ redef record HTTP::Info += { # flag for checking get uri checked_get: bool &optional &default=F; + + # uri prefix: this the GET url without ocsp request + uri_prefix: string &optional; }; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) @@ -269,6 +272,7 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request if ( ! http?$original_uri ) return parsed_req;; local uri_prefix: string = get_uri_prefix(http$original_uri); + http$uri_prefix = uri_prefix; local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) @@ -282,7 +286,10 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request ocsp_req_str = http$uri[|s|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) + { + http$uri_prefix = s; break; + } } } return parsed_req; diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 69bffb19ed..69bdfb8548 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -357,13 +357,14 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) else ocsp$ocsp_uri = http$uri; - if ( http?$method && http$method == "GET" && http?$original_uri ) + if ( http?$method && http$method == "GET" && http?$uri_prefix ) { - local uri_prefix: string = OCSP::get_uri_prefix(http$original_uri); + if ( |http$uri_prefix| > 0) + ocsp$ocsp_uri = ""; if ( http?$host ) ocsp$ocsp_uri = http$host; - if ( |uri_prefix| > 0) - ocsp$ocsp_uri += "/" + uri_prefix; + if ( |http$uri_prefix| > 0) + ocsp$ocsp_uri += http$uri_prefix; } if ( ocsp?$ocsp_uri ) From b4fce308f0bef06c73152fd192a00d961a0351af Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sat, 18 Jul 2015 19:36:47 -0700 Subject: [PATCH 031/288] minor change to deal with empty request --- scripts/base/files/ocsp/main.bro | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 80fd356f29..5c01951a66 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -212,15 +212,15 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t Queue::put(http$ocsp_requests[cert_id], req_rec); } } - else + else if ( req?$version ) { - # no request content? this is weird but log it anyway + # it's ocsp request but has no request content + # this is weird but log it anyway local req_rec_empty: OCSP::Info_req = [$ts = req_ts, $cid = http$id, $cuid = http$uid, - $id = req_id]; - if (req?$version) - req_rec_empty$version = req$version; + $id = req_id, + $version = req$version]; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; update_http_info(http, req_rec_empty); From fa654121ec5f77b75329c56884633f85a0df6446 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 20 Jul 2015 15:46:21 -0700 Subject: [PATCH 032/288] fix url parsing bug --- scripts/base/files/ocsp/main.bro | 4 ++-- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 17 ++++++++++++++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 5c01951a66..1ae854b991 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -277,12 +277,12 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) { - # normal parse fails, bug url, natively try each part + # normal parse fails, bug url, naively try each part local w = split_string(http$original_uri, /\//); local s = ""; for ( i in w ) { - s += "/" + w[i]; + s += w[i] + "/"; ocsp_req_str = http$uri[|s|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 69bdfb8548..e8318e145e 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -78,7 +78,10 @@ export { num_ocsp: count &log &optional; ## the original_uri in HTTP request - original_uri: string &log &optional; + original_uri: string &log &optional; + + ## host in HTTP request + host: string &log &optional; }; type Issuer_Name_Type: record { @@ -349,13 +352,21 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) ocsp$original_uri = http$original_uri; if ( http?$host ) + { + ocsp$host = http$host; ocsp$ocsp_uri = http$host; + } if ( http?$uri ) + { + local uri_str = http$uri; + if ( http$uri == "http://" + http$host ) + uri_str = "/"; #deal with software bug: make the full url empty if ( ocsp?$ocsp_uri ) - ocsp$ocsp_uri += http$uri; + ocsp$ocsp_uri += uri_str; else - ocsp$ocsp_uri = http$uri; + ocsp$ocsp_uri = uri_str; + } if ( http?$method && http$method == "GET" && http?$uri_prefix ) { From 5f2cb840d7e7d01327a390771a3738db9cde1acb Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 20 Jul 2015 16:55:19 -0700 Subject: [PATCH 033/288] add user_agent to ocsp-to-match log --- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index e8318e145e..38587496a4 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -82,6 +82,9 @@ export { ## host in HTTP request host: string &log &optional; + + ## user_agent + user_agent: string &log &optional; }; type Issuer_Name_Type: record { @@ -348,6 +351,9 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$method ) ocsp$method = http$method; + if ( http?$user_agent ) + ocsp$user_agent = http$user_agent; + if ( http?$original_uri ) ocsp$original_uri = http$original_uri; From 462f6608a8659a6cfbfb9ea6974a0589de6ad1f5 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 21 Jul 2015 14:44:33 -0700 Subject: [PATCH 034/288] log the time for server first encrypted application data --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 38587496a4..76b244cfe5 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -120,8 +120,11 @@ export { ## the time when SSL connection is established establish_ts: time &log &optional; - ## the time for the first encrypted application data + ## the time for the first encrypted client application data client_first_encrypt_ts: time &log &optional; + + ## the time for the first encrypted server application data + server_first_encrypt_ts: time &log &optional; ## the time when event connection_state_remove happens end_ts: time &log &optional; @@ -185,8 +188,11 @@ redef record SSL::Info += { ## name hash(string) cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional; - ## the time for the first encrypted application data + ## the time for the first encrypted client application data client_first_encrypt_ts: time &optional; + + ## the time for the first encrypted server application data + server_first_encrypt_ts: time &optional; }; # remove the last '/' @@ -279,8 +285,13 @@ event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, leng if ( ! c?$ssl ) return; - if ( content_type == SSL::APPLICATION_DATA && length > 0 && is_orig && ! c$ssl?$client_first_encrypt_ts ) - c$ssl$client_first_encrypt_ts = network_time(); + if ( content_type == SSL::APPLICATION_DATA && length > 0 ) + { + if ( is_orig && ! c$ssl?$client_first_encrypt_ts ) + c$ssl$client_first_encrypt_ts = network_time(); + else if ( ! is_orig && ! c$ssl?$server_first_encrypt_ts ) + c$ssl$server_first_encrypt_ts = network_time(); + } } # extract the full ocsp uri from certificate extension @@ -450,6 +461,9 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) if ( ssl?$client_first_encrypt_ts ) ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts; + if ( ssl?$server_first_encrypt_ts ) + ssl_rec$server_first_encrypt_ts = ssl$server_first_encrypt_ts; + if ( ssl?$server_hello_ts ) ssl_rec$server_hello_ts = ssl$server_hello_ts; From cea1b62a9a13fba851c2dcc9ca09a0eb12ae4dc2 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 21 Jul 2015 23:38:56 -0700 Subject: [PATCH 035/288] small bug fix --- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 76b244cfe5..853f4d65b1 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -377,7 +377,7 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$uri ) { local uri_str = http$uri; - if ( http$uri == "http://" + http$host ) + if ( http?$host && http$uri == "http://" + http$host ) uri_str = "/"; #deal with software bug: make the full url empty if ( ocsp?$ocsp_uri ) ocsp$ocsp_uri += uri_str; From 49c570593a817d398108e5be3d27b60c64c0b3ba Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 23 Jul 2015 15:46:23 -0700 Subject: [PATCH 036/288] check value before assign --- scripts/base/files/ocsp/main.bro | 150 +++++++++++++++++++++---------- scripts/base/init-bare.bro | 8 +- 2 files changed, 107 insertions(+), 51 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 1ae854b991..1362330cf1 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -58,15 +58,15 @@ export { ## connection uid cuid: string &optional; ## responseStatus (different from cert status?) - responseStatus: string &log; + responseStatus: string &log &optional; ## responseType - responseType: string &log; + responseType: string &log &optional; ## version - version: count &log; + version: count &log &optional; ## responderID - responderID: string &log; + responderID: string &log &optional; ## producedAt - producedAt: string &log; + producedAt: string &log &optional; ## NOTE: the following are specific to one cert id ## the above are for one file which may contain @@ -176,6 +176,33 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) req_rec$method = http$method; } +function update_request_info(rec: Info_req, req: OCSP::Request) + { + if ( req?$version ) + rec$version = req$version; + + if ( req?$requestorName ) + rec$requestorName = req$requestorName; + } + +function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId + { + local cert_id: OCSP::CertId = []; + if ( one_req?$hashAlgorithm ) + cert_id$hashAlgorithm = one_req$hashAlgorithm; + + if ( one_req?$issuerNameHash ) + cert_id$issuerNameHash = one_req$issuerNameHash; + + if ( one_req?$issuerKeyHash ) + cert_id$issuerKeyHash = one_req$issuerKeyHash; + + if ( one_req?$serialNumber ) + cert_id$serialNumber = one_req$serialNumber; + + return cert_id; + } + function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) { local index: count = 0; @@ -185,22 +212,14 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t for (x in req$requestList) { local one_req = req$requestList[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, - $issuerNameHash = one_req$issuerNameHash, - $issuerKeyHash = one_req$issuerKeyHash, - $serialNumber = one_req$serialNumber]; + local cert_id: OCSP::CertId = cert_id_from_request(one_req); local req_rec: OCSP::Info_req = [$ts = req_ts, $certId = cert_id, $cid = http$id, $cuid = http$uid, $index = index, $id = req_id]; - - if ( req?$version ) - req_rec$version = req$version; - - if ( req?$requestorName ) - req_rec$requestorName = req$requestorName; + update_request_info(req_rec, req); if ( ! http?$ocsp_requests ) http$ocsp_requests = table(); @@ -219,10 +238,8 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t local req_rec_empty: OCSP::Info_req = [$ts = req_ts, $cid = http$id, $cuid = http$uid, - $id = req_id, - $version = req$version]; - if (req?$requestorName) - req_rec_empty$requestorName = req$requestorName; + $id = req_id]; + update_request_info(req_rec_empty, req); update_http_info(http, req_rec_empty); Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); } @@ -295,6 +312,60 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request return parsed_req; } +function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp) + { + if ( single_resp?$certStatus ) + rec$certStatus = single_resp$certStatus; + + if ( single_resp?$thisUpdate ) + rec$thisUpdate = single_resp$thisUpdate; + + if ( single_resp?$nextUpdate ) + rec$nextUpdate = single_resp$nextUpdate; + } + +function update_response_info(rec: Info_resp, resp: OCSP::Response) + { + if ( resp?$responseStatus ) + rec$responseStatus = resp$responseStatus; + + if ( resp?$responseType ) + rec$responseType = resp$responseType; + + if ( resp?$version ) + rec$version = resp$version; + + if ( resp?$responderID ) + rec$responderID = resp$responderID; + + if ( resp?$producedAt ) + rec$producedAt = resp$producedAt; + } + +function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp) + { + update_response_info(rec, resp); + update_response_info_single(rec, single_resp); + } + +function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId + { + local cert_id: OCSP::CertId = []; + if ( single_resp?$hashAlgorithm ) + cert_id$hashAlgorithm = single_resp$hashAlgorithm; + + if ( single_resp?$issuerNameHash ) + cert_id$issuerNameHash = single_resp$issuerNameHash; + + if ( single_resp?$issuerKeyHash ) + cert_id$issuerKeyHash = single_resp$issuerKeyHash; + + if ( single_resp?$serialNumber ) + cert_id$serialNumber = single_resp$serialNumber; + + return cert_id; + } + event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 { if ( ! f?$http ) @@ -307,25 +378,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { index += 1; local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - local resp_rec: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $index = index, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - if (single_resp?$nextUpdate) - resp_rec$nextUpdate = single_resp$nextUpdate; + local cert_id: OCSP::CertId = cert_id_from_response(single_resp); + local resp_rec: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid, + $index = index, + $certId = cert_id]; + update_response_info_with_single(resp_rec, resp, single_resp); if ( ! f$http?$ocsp_responses ) f$http$ocsp_responses = table(); @@ -339,15 +399,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo else { # no response content? this is weird but log it anyway - local resp_rec_empty: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt]; + local resp_rec_empty: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid]; + update_response_info(resp_rec_empty, resp); local info_rec: Info = [$ts = resp_rec_empty$ts, $resp_ts = resp_rec_empty$ts, $resp = resp_rec_empty, diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 6ec756c28e..61fd2b5094 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2998,10 +2998,10 @@ export { signature: string &optional; #&log; }; type CertId: record { - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; + hashAlgorithm: string &log &optional; + issuerNameHash: string &log &optional; + issuerKeyHash: string &log &optional; + serialNumber: string &log &optional; }; } From 5d168792ee82b79e1419d475e94f5ac952b74357 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 28 Jul 2015 16:20:38 -0700 Subject: [PATCH 037/288] deal with bug url --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 44 ++++++++++++++++--- 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 853f4d65b1..7f743e6594 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -355,6 +355,28 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); } +function clean_bug_host(host: string): string + { + local s: string = host; + s = clean_uri(s); + if ( s[0:7] == "http://" ) + s = s[7:]; + return s; + } + +function clean_bug_uri(uri: string, host: string): string + { + local s: string = uri; + s = clean_uri(s); + if ( s[0:7] == "http://" ) + s = s[7:]; + + if ( |host| > 0 && s[0:|host|] == host ) + s = s[|host|:]; + + return s; + } + function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { ocsp$num_ocsp = http$conn$num_ocsp; @@ -368,17 +390,27 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$original_uri ) ocsp$original_uri = http$original_uri; + local host_str: string = ""; + if ( http?$host ) + host_str = clean_bug_host(http$host); + + local uri_str: string = ""; + if ( http?$uri) + { + if (http?$host) + uri_str = clean_bug_uri(http$uri, host_str); + else + uri_str = clean_bug_uri(http$uri, ""); + } + if ( http?$host ) { - ocsp$host = http$host; - ocsp$ocsp_uri = http$host; + ocsp$host = host_str; + ocsp$ocsp_uri = host_str; } if ( http?$uri ) { - local uri_str = http$uri; - if ( http?$host && http$uri == "http://" + http$host ) - uri_str = "/"; #deal with software bug: make the full url empty if ( ocsp?$ocsp_uri ) ocsp$ocsp_uri += uri_str; else @@ -390,7 +422,7 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( |http$uri_prefix| > 0) ocsp$ocsp_uri = ""; if ( http?$host ) - ocsp$ocsp_uri = http$host; + ocsp$ocsp_uri = host_str; if ( |http$uri_prefix| > 0) ocsp$ocsp_uri += http$uri_prefix; } From 61f7276c80c5ace581f3e040af04c5f876dcb105 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 31 Jul 2015 13:39:25 -0700 Subject: [PATCH 038/288] parse revocation time and reason in ocsp response --- src/file_analysis/analyzer/ocsp/OCSP.cc | 30 ++++++++++++++++-- .../ocsp.log | 13 ++++++++ testing/btest/Traces/tls/ocsp-revoked.pcap | Bin 0 -> 12864 bytes .../base/protocols/ssl/ocsp-revoked.test | 4 +++ 4 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log create mode 100644 testing/btest/Traces/tls/ocsp-revoked.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index d0b1a62f90..df0dbc5599 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -411,7 +411,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) OCSP_BASICRESP *basic_resp = NULL; OCSP_RESPDATA *resp_data = NULL; OCSP_RESPID *resp_id = NULL; - OCSP_SINGLERESP *single_resp = NULL; + OCSP_SINGLERESP *single_resp = NULL; + OCSP_REVOKEDINFO *revoked_info = NULL; //OCSP_CERTSTATUS *cst = NULL; //OCSP_REVOKEDINFO *rev = NULL; @@ -495,8 +496,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) ocsp_fill_cert_id(cert_id, single_resp_bro); //certStatus - const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); - single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); + string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); + string revoke_reason = ""; + string revoke_time = ""; + + //add revocation time and reason if it is revoked + if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) + { + revoked_info = single_resp->certStatus->value.revoked; + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime)); + if (len > 0) + revoke_time.assign((const char *)buf, len); + + if (revoked_info->revocationReason) + { + long l = ASN1_ENUMERATED_get(revoked_info->revocationReason); + revoke_reason = OCSP_crl_reason_str(l); + } + } + if (revoke_time.length() > 0) + cert_status_str += " " + revoke_time; + if (revoke_reason.length() > 0) + cert_status_str += " " + revoke_reason; + + single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str())); //thisUpdate len = -1; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log new file mode 100644 index 0000000000..8876f251e7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-07-31-20-35-18 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CXWv6p3arKYeMETxOg sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707162834Z 1 revoked 20150514145849Z superseded 20150707162834Z 20150929011242Z POST +1438374032.650255 192.168.6.109 41813 23.5.251.27 80 CjhGID4nQcgTWjvg4c sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707212334Z 1 revoked 20150127203801Z unspecified 20150707212334Z 20150930071359Z POST +1438374032.759133 192.168.6.109 41814 23.5.251.27 80 CCvvfg3TEfuqmmG4bh sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707030344Z 1 revoked 20150528055348Z (UNKNOWN) 20150707030344Z 20150928205739Z POST +1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CsRx2w45OKnoww6xl4 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150708020344Z 1 revoked 20150117113259Z keyCompromise 20150708020344Z 20150928165507Z POST +#close 2015-07-31-20-35-18 diff --git a/testing/btest/Traces/tls/ocsp-revoked.pcap b/testing/btest/Traces/tls/ocsp-revoked.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a2cd4509ad0a13b4636fc54488c2b76f452344c4 GIT binary patch literal 12864 zcmeI2dpuO>AIHxb<2I5@g}*Ou?n%k@S)gVPt~!;7;?eD%l{1R;^-kB~`96y(i>m+(9)C#ML>XPd?3US=;J zkd=^02;zj;Dy)cyR7giWbGz(b1oex(m2K3gG^sDnJ3_U%BT z=Ugvu%m#Dw_V%=)TH~q|=LnvF!xLC}uZrZbFm_~Q7&nM5;70IlB7&kKt@xak(VQrO z_&N^`ZSZK1{dJ7@mcsxTvSzUQy9Qm$k@z`c-pLnytnZsaYwxLR*SWAr}BTEU6V&yuCQ7jKm zUmTsFjy5Ts?TrkG^Hnf{?;!EzbYYnicF#o+H`q-AJGJZ#J(V7 zG#tm~&Qhg#ariMDJ`3Y5d**99~dFFqgNCg#~hXZ2l_nL3U6m#|jQKKO&5Ug|p+V*vmMRnN%v1O2;j+$ml>Y z=$05S!m5`N!4J2@!lR=EVEAL$VccN00Nme$4NlAk><}&|n1y*qb1X4C%sn~`JRg;b zQEgc?dlsF6xz6@hrOb$n2WS@N!sl9IbgCFe z!&%^){_!FpoyQ4+Ny);3!XjWWK;{V*=7KqqEmUv=KTa3t3rZF$Fu^G*o_H)ri#)Q^ z$UmKTxNT~;(tG3ftit2j40m-MHK-Z4!|kZHGp7Yu3$!ve`8lp~D5XA)H*VG;<;{upa{2@NrT*>H18&I{w~X_O4%k)gU67qEBrnB< zWIu2$!i929*>WV5L{c|pG-T8-e{??j)i<-bD<4knA37Cz1dpYvfWjm;Rs?Q_$#PpxCy*K zZiJ!e0_QMxR1`+XW-P$GygV@HshAb!O2@}&s}c!jixXcy@K-91GiY?C1Jl6=cc9wg z%wCrDKd`X5&R(9_JPs@b!5ls=M921jOq9qFH3XcekYK93PjlR{F}9d~ttup~V3IJ& z<2Tba%JWv{#%o?ZQiJk+(-5tvx)Z~C9tgjx`}OGNsbwL%+P}MTaKxrDB}iWMwKD4$ zNu#u;P>UaU$K6yl&fImUqTTn;QuVW`O7#t!9kf!e+rK)R(i)+?Gn3uspPH(5#rPKG zyx9|)!W+kPN_xeShm*H_FXRO#mH19PmAb?H;*stJ=hJvP1-nxg8}PfCN4J)G-g{Pf zp;@ln(fxJK{5QoLOkSUFo!afTgO(7-k0$U3-Ig3NW0$UKALH)v2o&uh zlW+v*!QU|QGMs}4DX1(>azm5e%s>^j<#2D1p-R0=CkfTk4HXC?SvEGYv9Z=sAmgJ2 zq1HhW;Wj~$QMkG2IubrcS0BSZaV6QGn{_?$);fC^u zlG+cgW=tu}%1>?Po_y`{YTV`JyorUnV^)g-8?3t+h+A7 zmj-(6{4MhgbwVp_JuHM~TU;#HtzFA6|6BWR#{FSucO+%`WOjvUk#FA5Xnf#pcgc9H z@Vj}9hB+e**>|j4FEh>@o9kk6boi24FZQ{ckW$C5IB;oo{EM;MdkRi2pKWE8zqfq6 zzG~~T#-?=n$h|Nl^Fc-q(h~X-Eg@}S1GhN3qpH*nw1n^E()t=Wb8mW`2?mLG2PgUw zM5;9LY%FMe)X|C3M3ReGqvWhX7+ESrE46yytT`J?%o+`}2{}D*)lKKo{jWt6xi8AgAo@ZwgG?`3(xl%47pY@St_2g495KSH9t`ST?HD9N>IQ0tP2?P zS&-gmFnECc>1^tXCp4=`XjTDq8Z;QRm7=)DLo$qlTAT792BT{|BywD25`n?E&^nO# zB^r#$j59YGTT8|naE)U&U)dznU`)?=rrP5uARoM?=j3-pt^`JAiyTE1YpGFWoC<;& zcW7+CjDw>{1EW|AGY-!YW!zU_1mhubu7wKH0t^N`B#H8Mr-C6duYV2?AR7NAB4$G3 zmu@gb73;UAjK-;j8G9AXY`$ z*1)}^UsrDRyrrFctbk=YivyE&+X8k6&D^59d%jnaNf8T9e$Vs^a^Zms8*9!@-&_!M8TBz$S9-~J(kF=R0Q$zc3TI{+*H22lBDfpr}o zl9it{`4k6M{(S9$Yf1K>#99J;iLS1w^6!F`f5>1A84QuZC4P0&e zn(RM8OW0-MCTifSK}(nkllAf7#6*HPOq!VU5HvoT6HEsXcR`|q<)9jc1W`pMQ3DW7 zq>113BT7yvgmEf_XwD1=PNO2?aGC>PM8eEL|H2jT8xu*W1_RG!jp3 zEUl3?L;Tb-G%h1Fj*-yV2sB=Y4Wt>^_<*|sU{v;iNnZ^$E?=WEh-HZ`f*M<|iZm`j zJTGkz@PgI^S{Cvgv9SQeMtHu@vNUcJlcluEvMdWa^i017bZ=-`E^ii-f!<PkuLC(y=1F`-k=GQ`Tj;S-{A=KPZm1)F?90i7?}q z&+3I$vu(T5j;zbW-qoZV6TH|$D)5JmIbHdbjIh{6OqVbk!4}h>~SWO z&afvei?Z0Ve7v*Rve4{lIMa?U+p_#>I_vuyIlXd9c%I`{v!hcJ0zLBfKW}s1m-B1B zX0CG`SFMI_JbiTA^<|@8#)ndFU!9}&ROL$2!HpqaRZpAVZ66zer#s$eous8we1|97 zPX4YZI~8L}+@WLaPd-waB)5cm#wNG=K_ z0Xi9$@KEJ}CET);SQMc5*f6k!|4S1zWLbtRi^#I<2O0Tk%Mx8eG;p;8Tf(LK9eS3X za8G1{s3o+RPOmf7fI0qnaN-GqSR+leu?3Bfx@k^dOK35pk2vwgpc+pS#A`B%Uy*l{9#=8+em0u0Q4$oS?XOyaSecE7=^ch_-V^h6ab0)LSzzwW%2(QSD=v~ zeudCK(()W>RS+uTP-1~>&gB{72lr9#YJ(&d~3AjN(<8aesk*H)xVUoWU-OML-%L?oC9HM<9dXAxV_K#m$Dq_tRt&!FuN( zB_cLM;umjO?3pw>=D*!#A+}HK#cy8WwExbsfY-g4OcrkU-|Vu`doTJwzQ$#bgDsHH zVp$}zSY%nKR68n_P6L}K@HH+}WLf&|+~2ZLZJFTRGMT$9iTMT-+9)mY<|9US#QA6X zkpqQ-%onQ+&tABh>1lS=z3koL4WlfVhyP$76ZqW8@@~uU?Lo#e3U~tJU2CKKw8E4e{M zkX%Mc)3`swWu)ikz-2_hCl)5KjGTTZT1KA0Wn}2ZF!(y_(2HTcFNVSVA^~F!vlSka z`GqjJIYi^rI559r5{Uc)cA(a3V17ZOQ9q)LIlw07fTcu}3Fbgd0%)Z)Yl8>OfhUm2 z9-J6R5G`a76Txd-nzd{Zu^Y@Pf>`p?piiAkJoQ6~r%nV<4O(losb-Vtsh@#a)%_o| C*fs0` literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test new file mode 100644 index 0000000000..3b3bf0a61b --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -0,0 +1,4 @@ +# This tests a OCSP request missing response + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT +# @TEST-EXEC: btest-diff ocsp.log From 1abd41c413e054bb21b7343d94c1621b48fa7cbc Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 31 Jul 2015 13:50:48 -0700 Subject: [PATCH 039/288] copy paste error --- testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index 3b3bf0a61b..1125484cdf 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -1,4 +1,4 @@ -# This tests a OCSP request missing response +# This tests OCSP response with revocation # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log From ce47024dd966dae8a59e3ec775ce89291c06cebf Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 18 Aug 2015 16:00:55 -0700 Subject: [PATCH 040/288] simplify some code --- src/file_analysis/analyzer/ocsp/OCSP.cc | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index df0dbc5599..340838eb1a 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -413,9 +413,7 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) OCSP_RESPID *resp_id = NULL; OCSP_SINGLERESP *single_resp = NULL; OCSP_REVOKEDINFO *revoked_info = NULL; - - //OCSP_CERTSTATUS *cst = NULL; - //OCSP_REVOKEDINFO *rev = NULL; + OCSP_CERTSTATUS *cert_status = NULL; RecordVal *ocsp_resp_record = NULL; VectorVal *all_resp_bro = NULL; @@ -496,24 +494,22 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) ocsp_fill_cert_id(cert_id, single_resp_bro); //certStatus - string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); - string revoke_reason = ""; - string revoke_time = ""; + cert_status = single_resp->certStatus; + std::string cert_status_str = OCSP_cert_status_str(cert_status->type); + std::string revoke_reason = ""; + std::string revoke_time = ""; //add revocation time and reason if it is revoked - if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) + if (cert_status->type == V_OCSP_CERTSTATUS_REVOKED) { - revoked_info = single_resp->certStatus->value.revoked; + revoked_info = cert_status->value.revoked; len = -1; len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime)); if (len > 0) revoke_time.assign((const char *)buf, len); if (revoked_info->revocationReason) - { - long l = ASN1_ENUMERATED_get(revoked_info->revocationReason); - revoke_reason = OCSP_crl_reason_str(l); - } + revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); } if (revoke_time.length() > 0) cert_status_str += " " + revoke_time; From 1989f34a0af7b9a10a2ea8e2f05c8b65e7c89795 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 18 Aug 2015 19:35:43 -0700 Subject: [PATCH 041/288] add parsing certificates in OCSP responses --- scripts/base/init-bare.bro | 1 + src/file_analysis/analyzer/ocsp/OCSP.cc | 26 ++++++++++++++++++- .../.stdout | 1 + .../protocols/ssl/ocsp-response-cert.test | 15 +++++++++++ 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 0a07685fa5..11e5232d95 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3003,6 +3003,7 @@ export { #responseExtensions:xxx signatureAlgorithm: string &log &optional; signature: string &optional; #&log; + certs: vector of opaque of x509 &optional; }; type CertId: record { hashAlgorithm: string &log &optional; diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index 340838eb1a..d54f1f345b 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -15,6 +15,16 @@ #include #include +// helper function of sk_X509_value to avoid namespace problem +// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) +// X509 => file_analysis::X509 +X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) + { + return sk_X509_value(certs, i); + } + +#include "file_analysis/analyzer/x509/X509.h" + using namespace file_analysis; IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); @@ -404,7 +414,6 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) { if (resp_val == NULL) return NULL; - OCSP_RESPONSE *resp = NULL; OCSP_RESPBYTES *resp_bytes = NULL; OCSP_CERTID *cert_id = NULL; @@ -551,6 +560,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) if (len > 0) ocsp_resp_record->Assign(7, new StringVal(len, buf)); } + //certs + if (basic_resp->certs) + { + VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); + int num_certs = sk_X509_num(basic_resp->certs); + for (i=0; icerts, i)); + //::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i)); + if (this_cert) + certs_vector->Assign(i, new file_analysis::X509Val(this_cert)); + else + reporter->Weird("OpenSSL returned null certificate"); + } + ocsp_resp_record->Assign(8, certs_vector); + } clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout new file mode 100644 index 0000000000..b6a95f4f0c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout @@ -0,0 +1 @@ +[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test new file mode 100644 index 0000000000..5ed2bf3253 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test @@ -0,0 +1,15 @@ +# This tests OCSP response containing a certificate + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) +{ +if (resp?$certs) + { + for (x in resp$certs) + { + print x509_parse(resp$certs[x]); + } + } +} \ No newline at end of file From d45558d2a18dce0b1aafe592beaaef226c896577 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 18 Aug 2015 21:44:52 -0700 Subject: [PATCH 042/288] log the number of certs in OCSP response --- scripts/base/files/ocsp/main.bro | 5 +++++ scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 1362330cf1..3474e3a797 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -67,6 +67,8 @@ export { responderID: string &log &optional; ## producedAt producedAt: string &log &optional; + ## certificates + certs: vector of opaque of x509 &optional; ## NOTE: the following are specific to one cert id ## the above are for one file which may contain @@ -340,6 +342,9 @@ function update_response_info(rec: Info_resp, resp: OCSP::Response) if ( resp?$producedAt ) rec$producedAt = resp$producedAt; + + if ( resp?$certs ) + rec$certs = resp$certs; } function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 7f743e6594..0efad933c9 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -85,6 +85,9 @@ export { ## user_agent user_agent: string &log &optional; + + ## number of certificates in response + resp_certs_num: count &log &default=0; }; type Issuer_Name_Type: record { @@ -466,6 +469,8 @@ function start_log_ocsp(rec: OCSP::Info) { info_ocsp_rec$resp = rec$resp; info_ocsp_rec$resp_ts = rec$resp$ts; + if ( rec$resp?$certs ) + info_ocsp_rec$resp_certs_num = |rec$resp$certs|; } if ( rec?$req && rec?$resp ) From cdc812074c9994fba5c91c418d12ddd6494284f2 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 19 Aug 2015 11:38:34 -0700 Subject: [PATCH 043/288] fix data structure recursion --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 39 +++++++++++++------ 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 0efad933c9..8f10745066 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -163,8 +163,11 @@ redef record HTTP::Info += { request_header_len: count &optional &default=0; response_header_len: count &optional &default=0; - ## connection used to get num_ocsp and connection start time - conn: connection &optional; + ## number of OCSP requests so far, copied from connection + num_ocsp: count &optional; + + ## connection start time, copied from connection + conn_start_ts: time &optional; }; # add additional information to ssl info @@ -215,32 +218,44 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { if ( ! f?$http ) return; - # check if there is a OCSP GET request + + # get connection id TODO:TOCHECK + local cid: conn_id; + for ( id in f$conns ) + cid = id; + + # check if there is a OCSP GET request if ( f$http?$method && f$http$method == "GET" ) - f$http$conn$num_ocsp += 1; + f$conns[cid]$num_ocsp += 1; } event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) { if ( ! f?$http ) return; - f$http$conn$num_ocsp += 1; + + # get connection id TODO:TOCHECK + local cid: conn_id; + for ( id in f$conns ) + cid = id; + + f$conns[cid]$num_ocsp += 1; } event http_reply (c: connection, version: string, code: count, reason: string) { if ( ! c?$http ) return; - if ( ! c$http?$conn ) - c$http$conn = c; + if ( ! c$http?$conn_start_ts ) + c$http$conn_start_ts = c$start_time; } event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { if ( ! c?$http ) return; - if ( ! c$http?$conn ) - c$http$conn = c; + if ( ! c$http?$conn_start_ts ) + c$http$conn_start_ts = c$start_time; } # record the header length @@ -252,6 +267,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) c$http$request_header_len = stat$header_length; else c$http$response_header_len = stat$header_length; + c$http$num_ocsp = c$num_ocsp; } # add server hello time @@ -382,7 +398,8 @@ function clean_bug_uri(uri: string, host: string): string function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { - ocsp$num_ocsp = http$conn$num_ocsp; + if ( http?$num_ocsp ) + ocsp$num_ocsp = http$num_ocsp; if ( http?$method ) ocsp$method = http$method; @@ -454,7 +471,7 @@ function start_log_ocsp(rec: OCSP::Info) local http: HTTP::Info = rec$http; local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, $cuid = http$uid, - $conn_start_ts = http$conn$start_time]; + $conn_start_ts = http$conn_start_ts]; if ( rec?$certId ) info_ocsp_rec$cert_id = rec$certId; From c93a9fbebdab2386c16b49af0e0c88381eaaf69a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 8 Dec 2015 14:55:50 -0800 Subject: [PATCH 044/288] Log only local-originated IPs. --- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 8f10745066..33085f79db 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -494,6 +494,10 @@ function start_log_ocsp(rec: OCSP::Info) info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts; update_http_info(info_ocsp_rec, http); + + if ( Site::is_private_addr(info_ocsp_rec$cid$orig_h) || !Site::is_local_addr(info_ocsp_rec$cid$orig_h) ) + return; + Log::write(LOG_OCSP, info_ocsp_rec); } @@ -564,6 +568,10 @@ event connection_state_remove(c: connection) &priority= -20 if (|cert_recv_ts_str| > 0) ssl_info_rec$cert_recv_ts = cert_recv_ts_str; update_ssl_info(ssl_info_rec, c$ssl); + + if ( Site::is_private_addr(ssl_info_rec$id$orig_h) || !Site::is_local_addr(ssl_info_rec$id$orig_h) ) + return; + Log::write(LOG_SSL, ssl_info_rec); #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; } From d92fd52b35a907924e85a7413d37ae9393a18394 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 14 Dec 2015 16:06:31 -0800 Subject: [PATCH 045/288] Remove measurement scripts --- .../policy/protocols/ssl/ocsp-measurement.bro | 481 -------------- .../policy/protocols/ssl/ocsp-ssl-split.bro | 585 ------------------ 2 files changed, 1066 deletions(-) delete mode 100644 scripts/policy/protocols/ssl/ocsp-measurement.bro delete mode 100644 scripts/policy/protocols/ssl/ocsp-ssl-split.bro diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro deleted file mode 100644 index b883a36fdc..0000000000 --- a/scripts/policy/protocols/ssl/ocsp-measurement.bro +++ /dev/null @@ -1,481 +0,0 @@ -#! Match OCSP request and response to SSL connection for performance analysis - -@load base/protocols/http -@load base/frameworks/files -@load base/files/x509 -@load base/protocols/ssl -@load base/utils/queue - -module OCSP_MEASUREMENT; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - ## cert id for the OCSP request - cert_id: OCSP::CertId &log &optional; - - ## request timestamp - req_ts: time &log &optional; - - ## request - ## NOTE: this is only one request if multiple requests - ## are sent together in one HTTP message, they will be - ## logged separately - req: OCSP::Info_req &log &optional; - - ## response timestamp - resp_ts: time &log &optional; - - ## response - ## NOTE: similar to request, if multiple responses are - ## sent together in one HTTP message, they will be - ## logged separately - resp: OCSP::Info_resp &log &optional; - - ## HTTP connection uid - cuid: string &log; - - ## HTTP connection start time - conn_start_ts: time &log; - - ## for 1st request, this is the time between first TCP - ## SYN and resp_ts; for the rest of the requests in - ## the same connection, this is the time btween req_ts - ## and resp_ts - delay: interval &log &optional; - - ## the size of HTTP request body - req_size: count &log &optional; - - ## the size of HTTP request header - req_hdr_size: count &log &optional; - - ## the size of HTTP response body - resp_size: count &log &optional; - - ## the size of HTTP response header - resp_hdr_size: count &log &optional; - - ## the HTTP code in the HTTP response - http_code: count &log &optional; - - ## OCSP host, this is host in HTTP request - host: string &log; - - ## OCSP uri, this is uri in HTTP request - uri: string &log; - - ## number of HTTP request containing ocsp requests in - ## this connection including this one; this may be - ## different from number of OCSP requests since one - ## HTTP request may contain several OCSP requests - num_ocsp: count &log &optional; - - ## the time when the corresponding certificate is - ## received - cert_recv_ts: time &log &optional; - - ## SSL connection uid - ssl_cuid: string &log &optional; - - ## SSL connection id - ssl_cid: conn_id &optional; - - ## the time when client receives change cipher message - ## from server - ssl_change_cipher_ts: time &log &optional; - - ## the time when SSL connection is established - ssl_establish_ts: time &log &optional; - - ## the time when event connection_state_remove happens - ssl_end_ts: time &log &optional; - }; - - ## a group of constant string for hash algorithm - ## to save memory, remove any unseen hash algorithm - global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); - - ## Event from a worker to the manager that it has encountered - ## an OCSP response - global new_ocsp_info: event(c: connection) &redef; - - ## Event from the manager to the workers that a new OCSP info - ## is to be added. - global ocsp_info_add: event(c: connection); -} - -## - map to OCSP_MEASUREMENT::Info -## - indexed by hash algorithm(string), source ip(addr), ocsp -## uri(string), issuer name hash(string), serialNumber(string) -## - is it possible server sends two same certificate? To be -## safe, let's use a queue to store OCSP_MEASUREMENT::Info -global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins; - -# track number of ocsp requests in this connection -redef record connection += { - num_ocsp: count &optional &default=0; - }; - -# add additional information to http info -redef record HTTP::Info += { - ## header length - request_header_len: count &optional &default=0; - response_header_len: count &optional &default=0; - - ## OCSP file id - ocsp_request_fuid: string &optional; - ocsp_response_fuid: string &optional; - - ## OCSP request and response timestamp - ocsp_request_ts: time &optional; - ocsp_response_ts: time &optional; - - ## store OCSP requests and responses - ocsp_request: OCSP::Request &optional; - ocsp_response: OCSP::Response &optional; -}; - -# add additional information to ssl info -redef record SSL::Info += { - ## connection start time - connection_start_ts: time &optional; - - ## client hello time - client_hello_ts: time &optional; - - ## ssl connection establish time - ssl_establish_ts: time &optional; - - ## the time when server sends change-cipher-spec - change_cipher_ts: time &optional; - - ## - the time when a cert is received AND the cert has ocsp - ## extension - ## - the 2nd level table indexed by source ip(addr), ocsp - ## uri(string), issuer name hash(string), serialNumber - ## (string) - ## - the 1st level table indexed by different hash algorithm - ## for issuer name hash - ## - is it possible a server sends two same certificate? To be - ## safe, let's use a queue to store the time - cert_ts: table[string] of table[addr, string, string, string] of Queue::Queue &optional; -}; - -# set up cluster event -@if ( Cluster::is_enabled() ) -@load base/frameworks/cluster -redef Cluster::manager2worker_events += /OCSP_MEASUREMENT::ocsp_info_add/; -redef Cluster::worker2manager_events += /OCSP_MEASUREMENT::new_ocsp_info/; -@endif - -# get all the requests in one HTTP request -function get_all_requests(http: HTTP::Info): table[OCSP::CertId] of Queue::Queue - { - local pending_requests: table[OCSP::CertId] of Queue::Queue = table(); - if ( http?$ocsp_request && http$ocsp_request?$requestList ) - { - local req = http$ocsp_request; - for (x in req$requestList) - { - local one_req = req$requestList[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, - $issuerNameHash = one_req$issuerNameHash, - $issuerKeyHash = one_req$issuerKeyHash, - $serialNumber = one_req$serialNumber]; - - local req_rec: OCSP::Info_req = [$ts=http$ocsp_request_ts, $id=http$ocsp_request_fuid, $certId=cert_id]; - - if (req?$version) - req_rec$version = req$version; - - if (req?$requestorName) - req_rec$requestorName = req$requestorName; - - if (cert_id !in pending_requests) - pending_requests[cert_id] = Queue::init(); - - Queue::put(pending_requests[cert_id], req_rec); - } - } - return pending_requests; - } - -# remove the last '/' -function clean_uri(s: string): string - { - local s_len = |s|; - s_len -= 1; - if (s[-1] == "/") - return clean_uri(s[0:s_len]); - else - return s; - } - -# fill in OCSP/HTTP information -function fill_ocsp_info(c: connection) - { - local http: HTTP::Info = c$http; - - # get all the requests which will be matched to response later - local pending_requests: table[OCSP::CertId] of Queue::Queue = get_all_requests(http); - - # get all the responses and match them to the requests - if ( http?$ocsp_response && http$ocsp_response?$responses ) - { - local resp = http$ocsp_response; - for (x in resp$responses) - { - local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - - local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, - $id = http$ocsp_response_fuid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - - if (single_resp?$nextUpdate) - resp_rec$nextUpdate = single_resp$nextUpdate; - - local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, - $cuid = http$uid, - $conn_start_ts = c$start_time, - $host = http$host, - $uri = http$uri, - $resp_ts = resp_rec$ts, - $resp = resp_rec, - $req_size = http$request_body_len, - $req_hdr_size = http$request_header_len, - $resp_size = http$response_body_len, - $resp_hdr_size = http$response_header_len, - $http_code = http$status_code]; - if (cert_id in pending_requests) - { - # find a match - local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); - ocsp_info$req = req_rec; - ocsp_info$req_ts = req_rec$ts; - ocsp_info$num_ocsp = c$num_ocsp; - - if (c$num_ocsp == 1) - ocsp_info$delay = ocsp_info$resp$ts - c$start_time; - else - ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; - - if (Queue::len(pending_requests[cert_id]) == 0) - delete pending_requests[cert_id]; #if queue is empty, delete it? - } - - # add to ocsp map - local full_uri: string = clean_uri(http$host + http$uri); - local h = cert_id$hashAlgorithm; - local src_ip: addr = c$id$orig_h; - - if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map ) - ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); - - Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); - } - - } - } - -# work event -@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) -event OCSP_MEASUREMENT::ocsp_info_add(c: connection) - { - fill_ocsp_info(c); - } -@endif - -# manager event -@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) -event OCSP_MEASUREMENT::new_ocsp_info(c: connection) - { - event OCSP_MEASUREMENT::ocsp_info_add(c); - } -@endif - -# record the header length -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - # proceed only this http connection has ocsp request or response - if ( ! c$http?$ocsp_request && ! c$http?$ocsp_response ) - return; - - if ( is_orig ) - { - c$http$request_header_len = stat$header_length; - c$num_ocsp += 1; - } - else - { - c$http$response_header_len = stat$header_length; - # here, a http request-response is done - # if any ocsp info is present, put it in ocsp_map -@if ( ! Cluster::is_enabled() ) - fill_ocsp_info(c); -@endif - -@if ( Cluster::is_enabled() ) - # send this ocsp info to manager and manager will send - # it to all the workder - event OCSP_MEASUREMENT::new_ocsp_info(c); -@endif - } - } - -# add ocsp request to http record -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) - { - if ( !f?$http ) - return; - f$http$ocsp_request = req; - f$http$ocsp_request_ts = network_time(); - f$http$ocsp_request_fuid = f$id; - } - -# add ocsp response to http record -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) - { - if ( !f?$http ) - return; - f$http$ocsp_response = resp; - f$http$ocsp_response_ts = network_time(); - f$http$ocsp_response_fuid = f$id; - } - -# add client hello time and connection start time -event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) - { - c$ssl$client_hello_ts = network_time(); - c$ssl$connection_start_ts = c$start_time; - } - -# add time stamp for server's change cipher message -event ssl_change_cipher_spec(c: connection, is_orig: bool) - { - if ( is_orig ) - return; - c$ssl$change_cipher_ts = network_time(); - } - -# add ssl established time -event ssl_established(c: connection) - { - c$ssl$ssl_establish_ts = network_time(); - } - -# extract the full ocsp uri from certificate extension -function get_ocsp_uri(s: string): string - { - s = strip(s); - s = to_lower(s); - local parts = split_string(s, /\x0a/); - for (x in parts) - { - local f4c = sub_bytes(parts[x], 0, 4); - if (f4c == "ocsp") - { - local w = split_string(parts[x], /\/\//); - return w[1]; - } - } - return ""; - } - -# create ocsp index if ocsp extension is encountered -# record the time when certificate is received -event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { - if (!ext?$name || ext$name != "Authority Information Access") - return; - - if ( !f?$info || !f$info?$x509 || !f$info$x509?$handle || !f$info$x509?$certificate) - return; - - local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); - if ( |ocsp_uri| == 0 ) - return; - - local cert: X509::Certificate = f$info$x509$certificate; - local serial_number: string = cert$serial; - local cert_ref: opaque of x509 = f$info$x509$handle; - - # get connection - local c: connection; - # there should be only one loop - for ( id in f$conns ) - c = f$conns[id]; - - if ( !c$ssl?$cert_ts ) - c$ssl$cert_ts = table(); - - local current_ts: time = network_time(); - local source_ip: addr = c$id$orig_h; - - local issuer_name: table[string] of string; - # loop through each hash algorithm - for (i in hash_algorithm) - { - local h: string = hash_algorithm[i]; - issuer_name[h] = x509_issuer_name_hash(cert_ref, h); - - # if given hash algorithm is not in record, create a new table - if ( h !in c$ssl$cert_ts ) - c$ssl$cert_ts[h] = table(); - - # if given index is not in record, create a new queue - if ( [source_ip, ocsp_uri, issuer_name[h], serial_number] !in c$ssl$cert_ts[h] ) - c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number] = Queue::init(); - - # put the timing information in the queue of ssl info - Queue::put(c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number], current_ts); - } - } - -# log information when ssl connection is removed -event connection_state_remove(c: connection) &priority= -20 - { - if ( ! c?$ssl || ! c$ssl?$cert_ts ) - return; - - for (i in hash_algorithm) - { - local h = hash_algorithm[i]; - for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) - { - if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map ) - { - # find a ocsp to ssl match - local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]); - if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0) - delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]; - local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); - if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) - delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; - ocsp_info$cert_recv_ts = cert_recv_ts; - ocsp_info$ssl_cuid = c$uid; - ocsp_info$ssl_cid = c$id; - ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; - ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; - ocsp_info$ssl_end_ts = network_time(); - Log::write(LOG, ocsp_info); - } - } - } - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); - } diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro deleted file mode 100644 index 33085f79db..0000000000 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ /dev/null @@ -1,585 +0,0 @@ -#! log OCSP request, response and related HTTP information -#! log SSL connection which has cert with OCSP uri - -@load base/protocols/http -@load base/frameworks/files -@load base/files/x509 -@load base/protocols/ssl -@load base/utils/queue - -module OCSP_SSL_SPLIT; - -export { - redef enum Log::ID += { LOG_OCSP }; - redef enum Log::ID += { LOG_SSL }; - - type Info_OCSP: record { - ## cert id for the OCSP request - cert_id: OCSP::CertId &log &optional; - - ## request timestamp - req_ts: time &log &optional; - - ## request - ## NOTE: this is only one request if multiple requests - ## are sent together in one HTTP message, they will be - ## logged separately - req: OCSP::Info_req &log &optional; - - ## response timestamp - resp_ts: time &log &optional; - - ## response - ## NOTE: similar to request, if multiple responses are - ## sent together in one HTTP message, they will be - ## logged separately - resp: OCSP::Info_resp &log &optional; - - ## HTTP connection id - cid: conn_id &log; - - ## HTTP connection uid - cuid: string &log; - - ## HTTP connection start time - conn_start_ts: time &log; - - ## the time between req_ts and resp_ts - delay: interval &log &optional; - - ## the size of HTTP request body - req_size: count &log &optional; - - ## the size of HTTP request header - req_hdr_size: count &log &optional; - - ## the size of HTTP response body - resp_size: count &log &optional; - - ## the size of HTTP response header - resp_hdr_size: count &log &optional; - - ## the HTTP code in the HTTP response - http_code: count &log &optional; - - ## HTTP method - method: string &log &optional; - - ## host in HTTP request + uri in HTTP request - ## last '/' is removed - ## for GET request, OCSP request is remove from url - ocsp_uri: string &log &optional; - - ## number of HTTP requests containing ocsp requests in - ## this connection including this one; this may be - ## different from number of OCSP requests since one - ## HTTP request may contain several OCSP requests; - ## this is copied from connection - num_ocsp: count &log &optional; - - ## the original_uri in HTTP request - original_uri: string &log &optional; - - ## host in HTTP request - host: string &log &optional; - - ## user_agent - user_agent: string &log &optional; - - ## number of certificates in response - resp_certs_num: count &log &default=0; - }; - - type Issuer_Name_Type: record { - sha1: string &log &optional; - sha224: string &log &optional; - sha256: string &log &optional; - sha384: string &log &optional; - sha512: string &log &optional; - }; - - type Info_SSL: record { - ## connection id - id: conn_id &log; - - ## uid - uid: string &log; - - ## connection start time - conn_start_ts: time &log &optional; - - ## client hello time - client_hello_ts: time &log &optional; - - ## server hello time - server_hello_ts: time &log &optional; - - ## the time for client change cipher message - client_change_cipher_ts: time &log &optional; - - ## the time for server change cipher message - server_change_cipher_ts: time &log &optional; - - ## the time when SSL connection is established - establish_ts: time &log &optional; - - ## the time for the first encrypted client application data - client_first_encrypt_ts: time &log &optional; - - ## the time for the first encrypted server application data - server_first_encrypt_ts: time &log &optional; - - ## the time when event connection_state_remove happens - end_ts: time &log &optional; - - ## the above are common information for SSL connection - ## the following is specific to an cert - - ## ocsp_uri - ocsp_uri: string &log &optional; - - ## serial_number - serial_number: string &log &optional; - - ## the time when the corresponding certificate is - ## received; formatted as: str(time),str(time) - cert_recv_ts: string &log &optional; - - ## issuer_name - issuer_name: Issuer_Name_Type &log &optional; - }; -} - -redef SSL::disable_analyzer_after_detection=F; - -redef record connection += { - ## track number of ocsp requests in this connection - num_ocsp: count &optional &default=0; - }; - -# add additional information to http info -redef record HTTP::Info += { - ## header length - request_header_len: count &optional &default=0; - response_header_len: count &optional &default=0; - - ## number of OCSP requests so far, copied from connection - num_ocsp: count &optional; - - ## connection start time, copied from connection - conn_start_ts: time &optional; -}; - -# add additional information to ssl info -redef record SSL::Info += { - ## connection start time - conn_start_ts: time &optional; - - ## the time when client hello event happens - client_hello_ts: time &optional; - - ## server hello time - server_hello_ts: time &optional; - - ## the time when ssl connection is established - establish_ts: time &optional; - - ## the time for client change cipher message - client_change_cipher_ts: time &optional; - - ## the time for server change cipher message - server_change_cipher_ts: time &optional; - - ## indexed by ocsp_uri(string), serialNumber(string), issuer - ## name hash(string) - cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional; - - ## the time for the first encrypted client application data - client_first_encrypt_ts: time &optional; - - ## the time for the first encrypted server application data - server_first_encrypt_ts: time &optional; -}; - -# remove the last '/' -function clean_uri(s: string): string - { - local s_len = |s|; - if ( s_len == 0 ) - return s; - s_len -= 1; - if (s[-1] == "/") - return clean_uri(s[0:s_len]); - else - return s; - } - -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) - { - if ( ! f?$http ) - return; - - # get connection id TODO:TOCHECK - local cid: conn_id; - for ( id in f$conns ) - cid = id; - - # check if there is a OCSP GET request - if ( f$http?$method && f$http$method == "GET" ) - f$conns[cid]$num_ocsp += 1; - } - -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) - { - if ( ! f?$http ) - return; - - # get connection id TODO:TOCHECK - local cid: conn_id; - for ( id in f$conns ) - cid = id; - - f$conns[cid]$num_ocsp += 1; - } - -event http_reply (c: connection, version: string, code: count, reason: string) - { - if ( ! c?$http ) - return; - if ( ! c$http?$conn_start_ts ) - c$http$conn_start_ts = c$start_time; - } - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - if ( ! c?$http ) - return; - if ( ! c$http?$conn_start_ts ) - c$http$conn_start_ts = c$start_time; - } - -# record the header length -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( ! c?$http ) - return; - if ( is_orig ) - c$http$request_header_len = stat$header_length; - else - c$http$response_header_len = stat$header_length; - c$http$num_ocsp = c$num_ocsp; - } - -# add server hello time -event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 - { - c$ssl$server_hello_ts = network_time(); - } - -# add client hello time and connection start time -event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) - { - c$ssl$client_hello_ts = network_time(); - c$ssl$conn_start_ts = c$start_time; - } - -# add time stamp for server's change cipher message -event ssl_change_cipher_spec(c: connection, is_orig: bool) - { - if ( is_orig ) - c$ssl$client_change_cipher_ts = network_time(); - else - c$ssl$server_change_cipher_ts = network_time(); - } - -# add ssl established time -event ssl_established(c: connection) - { - c$ssl$establish_ts = network_time(); - } - -# add time when first encrypted application data is sent from client -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) - { - if ( ! c?$ssl ) - return; - - if ( content_type == SSL::APPLICATION_DATA && length > 0 ) - { - if ( is_orig && ! c$ssl?$client_first_encrypt_ts ) - c$ssl$client_first_encrypt_ts = network_time(); - else if ( ! is_orig && ! c$ssl?$server_first_encrypt_ts ) - c$ssl$server_first_encrypt_ts = network_time(); - } - } - -# extract the full ocsp uri from certificate extension -function get_ocsp_uri(s: string): string - { - s = strip(s); - s = to_lower(s); - local parts = split_string(s, /\x0a/); - for (x in parts) - { - local f4c = sub_bytes(parts[x], 0, 4); - if (f4c == "ocsp") - { - local w = split_string(parts[x], /\/\//); - return w[1]; - } - } - return ""; - } - -# create ocsp index if ocsp extension is encountered -# record the time when certificate is received -event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { - if ( ! ext?$name || ext$name != "Authority Information Access") - return; - - if ( ! f?$info || ! f$info?$x509 || ! f$info$x509?$handle || ! f$info$x509?$certificate) - return; - - local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); - if ( |ocsp_uri| == 0 ) - return; - - local cert: X509::Certificate = f$info$x509$certificate; - local serial_number: string = cert$serial; - local cert_ref: opaque of x509 = f$info$x509$handle; - - # get connection TODO:TOCHECK - local c: connection; - # there should be only one loop? - for ( id in f$conns ) - c = f$conns[id]; - - if ( ! c$ssl?$cert_ts ) - c$ssl$cert_ts = table(); - - local current_ts: time = network_time(); - - local issuer_name: Issuer_Name_Type; - issuer_name$sha1 = x509_issuer_name_hash(cert_ref, "sha1"); - issuer_name$sha224 = x509_issuer_name_hash(cert_ref, "sha224"); - issuer_name$sha256 = x509_issuer_name_hash(cert_ref, "sha256"); - issuer_name$sha384 = x509_issuer_name_hash(cert_ref, "sha384"); - issuer_name$sha512 = x509_issuer_name_hash(cert_ref, "sha512"); - - # if given index is not in record, create a new queue - if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts ) - c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name] = Queue::init(); - - # put the timing information in the queue - Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); - } - -function clean_bug_host(host: string): string - { - local s: string = host; - s = clean_uri(s); - if ( s[0:7] == "http://" ) - s = s[7:]; - return s; - } - -function clean_bug_uri(uri: string, host: string): string - { - local s: string = uri; - s = clean_uri(s); - if ( s[0:7] == "http://" ) - s = s[7:]; - - if ( |host| > 0 && s[0:|host|] == host ) - s = s[|host|:]; - - return s; - } - -function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) - { - if ( http?$num_ocsp ) - ocsp$num_ocsp = http$num_ocsp; - - if ( http?$method ) - ocsp$method = http$method; - - if ( http?$user_agent ) - ocsp$user_agent = http$user_agent; - - if ( http?$original_uri ) - ocsp$original_uri = http$original_uri; - - local host_str: string = ""; - if ( http?$host ) - host_str = clean_bug_host(http$host); - - local uri_str: string = ""; - if ( http?$uri) - { - if (http?$host) - uri_str = clean_bug_uri(http$uri, host_str); - else - uri_str = clean_bug_uri(http$uri, ""); - } - - if ( http?$host ) - { - ocsp$host = host_str; - ocsp$ocsp_uri = host_str; - } - - if ( http?$uri ) - { - if ( ocsp?$ocsp_uri ) - ocsp$ocsp_uri += uri_str; - else - ocsp$ocsp_uri = uri_str; - } - - if ( http?$method && http$method == "GET" && http?$uri_prefix ) - { - if ( |http$uri_prefix| > 0) - ocsp$ocsp_uri = ""; - if ( http?$host ) - ocsp$ocsp_uri = host_str; - if ( |http$uri_prefix| > 0) - ocsp$ocsp_uri += http$uri_prefix; - } - - if ( ocsp?$ocsp_uri ) - ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri); - - if ( http?$status_code ) - ocsp$http_code = http$status_code; - - if ( http?$request_body_len ) - ocsp$req_size = http$request_body_len; - - if ( http?$request_header_len ) - ocsp$req_hdr_size = http$request_header_len; - - if ( http?$response_body_len ) - ocsp$resp_size = http$response_body_len; - - if ( http?$response_header_len ) - ocsp$resp_hdr_size = http$response_header_len; - } - -function start_log_ocsp(rec: OCSP::Info) - { - local http: HTTP::Info = rec$http; - local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, - $cuid = http$uid, - $conn_start_ts = http$conn_start_ts]; - - if ( rec?$certId ) - info_ocsp_rec$cert_id = rec$certId; - - if ( rec?$req ) - { - info_ocsp_rec$req = rec$req; - info_ocsp_rec$req_ts = rec$req$ts; - } - - if ( rec?$resp ) - { - info_ocsp_rec$resp = rec$resp; - info_ocsp_rec$resp_ts = rec$resp$ts; - if ( rec$resp?$certs ) - info_ocsp_rec$resp_certs_num = |rec$resp$certs|; - } - - if ( rec?$req && rec?$resp ) - info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts; - - update_http_info(info_ocsp_rec, http); - - if ( Site::is_private_addr(info_ocsp_rec$cid$orig_h) || !Site::is_local_addr(info_ocsp_rec$cid$orig_h) ) - return; - - Log::write(LOG_OCSP, info_ocsp_rec); - } - -# log OCSP information -event OCSP::log_ocsp(rec: OCSP::Info) - { - start_log_ocsp(rec); - } - -# update ssl info -function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) - { - if ( ssl?$conn_start_ts ) - ssl_rec$conn_start_ts = ssl$conn_start_ts; - - if ( ssl?$client_hello_ts ) - ssl_rec$client_hello_ts = ssl$client_hello_ts; - - if ( ssl?$client_first_encrypt_ts ) - ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts; - - if ( ssl?$server_first_encrypt_ts ) - ssl_rec$server_first_encrypt_ts = ssl$server_first_encrypt_ts; - - if ( ssl?$server_hello_ts ) - ssl_rec$server_hello_ts = ssl$server_hello_ts; - - if ( ssl?$establish_ts ) - ssl_rec$establish_ts = ssl$establish_ts; - - if ( ssl?$client_change_cipher_ts ) - ssl_rec$client_change_cipher_ts = ssl$client_change_cipher_ts; - - if ( ssl?$server_change_cipher_ts ) - ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts; - } - -# convert all the elements in the queue to a formatted string -function convert_time_q2str(q: Queue::Queue, sep: string): string - { - local s = ""; - local elem: vector of time = vector(); - Queue::get_vector(q, elem); - for ( i in elem ) - { - s += fmt("%f",elem[i]); - if ( i != (|elem| - 1)) - s += sep; - } - return s; - } - -# log SSL information when ssl connection is removed -event connection_state_remove(c: connection) &priority= -20 - { - if ( ! c?$ssl || ! c$ssl?$cert_ts ) - return; - - for ( [ocsp_uri, serial_number, issuer_name] in c$ssl$cert_ts ) - { - local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id = c$id, - $uid = c$uid, - $end_ts = network_time()]; - ssl_info_rec$ocsp_uri = ocsp_uri; - ssl_info_rec$serial_number = serial_number; - ssl_info_rec$issuer_name = issuer_name; - local cert_recv_ts_str:string = convert_time_q2str(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], ","); - if (|cert_recv_ts_str| > 0) - ssl_info_rec$cert_recv_ts = cert_recv_ts_str; - update_ssl_info(ssl_info_rec, c$ssl); - - if ( Site::is_private_addr(ssl_info_rec$id$orig_h) || !Site::is_local_addr(ssl_info_rec$id$orig_h) ) - return; - - Log::write(LOG_SSL, ssl_info_rec); - #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; - } - clear_table(c$ssl$cert_ts); - } - -event bro_init() - { - Log::create_stream(LOG_OCSP, [$columns=Info_OCSP, $path="ocsp-to-match"]); - Log::create_stream(LOG_SSL, [$columns=Info_SSL, $path="ssl-to-match"]); - } From 6fa9540e47f91d0e494371140f6ba3cf4f2cf891 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 14 Oct 2016 14:10:40 -0500 Subject: [PATCH 046/288] Fix istate.pybroccoli test on systems using Python 3 Filter out the python 2 "L" suffix on long integers (not valid in Python 3), and change python 3 "object at" to "instance at" when printing class instances. --- testing/btest/istate/pybroccoli.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py index 9f26efca31..7600c2b7d4 100644 --- a/testing/btest/istate/pybroccoli.py +++ b/testing/btest/istate/pybroccoli.py @@ -8,8 +8,8 @@ # @TEST-EXEC: btest-bg-wait -k 20 # @TEST-EXEC: btest-diff bro/.stdout # -# @TEST-EXEC: sed 's/instance at [^>]*>/instance at >/' python/.stdout.filtered -# @TEST-EXEC: btest-diff python/.stdout.filtered +# @TEST-EXEC: sed -e 's/instance at [^>]*>/instance at >/' -e 's/object at [^>]*>/instance at >/' python/.stdout.filtered +# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -e 's/^\([-]*[0-9][0-9]*\)L/\1/' | $SCRIPTS/diff-remove-timestamps" btest-diff python/.stdout.filtered event remote_connection_closed(p: event_peer) { From 24f74cb52e4020703f47cd35769e08dd54098a1c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 14 Oct 2016 15:33:43 -0700 Subject: [PATCH 047/288] Fix alignment issue of ones_complement_checksum The ones_complement_checksum function assumes that the bytes passed into it are aligned on 16 bit boundaries. When using gcc (GCC) 6.2.1 20160916 (Red Hat 6.2.1-2) with -O2, this does not seem to hold true anymore; assuming 16 bit alignment will lead to accesses to uninitialized memory and wrong checksums. This commit adds a minimally invasive change that does not assume alignment anymore. This might have a small performance impact for every single packet we process. This error occured reproducibly when called from icmp6_checksum. --- src/net_util.cc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/net_util.cc b/src/net_util.cc index 677a869cc5..0f1493e190 100644 --- a/src/net_util.cc +++ b/src/net_util.cc @@ -18,13 +18,16 @@ // Returns the ones-complement checksum of a chunk of b short-aligned bytes. int ones_complement_checksum(const void* p, int b, uint32 sum) { - const u_short* sp = (u_short*) p; // better be aligned! + const unsigned char* sp = (unsigned char*) p; b /= 2; // convert to count of short's /* No need for endian conversions. */ while ( --b >= 0 ) - sum += *sp++; + { + sum += *sp + ( *(sp+1) << 8 ); + sp += 2; + } while ( sum > 0xffff ) sum = (sum & 0xffff) + (sum >> 16); From 303985e7dbef9c378dc24d2844206ba95fb1a0c6 Mon Sep 17 00:00:00 2001 From: balintm Date: Mon, 17 Oct 2016 10:18:09 +0100 Subject: [PATCH 048/288] Update smb1-com-open-andx.pac # of bytes in reserved field of request is 4 & response is 6B long. --- src/analyzer/protocol/smb/smb1-com-open-andx.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/smb/smb1-com-open-andx.pac b/src/analyzer/protocol/smb/smb1-com-open-andx.pac index 8f19f6f3a4..c7e7bea03a 100644 --- a/src/analyzer/protocol/smb/smb1-com-open-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-open-andx.pac @@ -52,7 +52,7 @@ type SMB1_open_andx_request(header: SMB_Header, offset: uint16) = record { open_mode : uint16; allocation_size : uint32; timeout : uint32; - reserved : padding[2]; + reserved : padding[4]; byte_count : uint16; filename : SMB_string(header.unicode, offsetof(filename); @@ -74,7 +74,7 @@ type SMB1_open_andx_response(header: SMB_Header, offset: uint16) = record { resource_type : uint16; nm_pipe_status : uint16; open_results : uint16; - reserved : padding[3]; + reserved : padding[6]; byte_count : uint16; extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters))); From 5cf2320fbc3ebb0d53e431829d2c9c56fdf6f08b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Oct 2016 13:48:17 -0700 Subject: [PATCH 049/288] Fix a couple of problems with signature matching. - IPv4 CIDR specifications didn't work with dst-ip/src-ip. - The "payload-size" condition was unreliable with UDP traffic. --- src/RuleCondition.cc | 4 +++ src/RuleMatcher.cc | 6 ++--- src/RuleMatcher.h | 1 + src/rule-parse.y | 6 ++--- .../Baseline/signatures.dst-ip-cidr-v4/output | 6 +++++ .../signatures.udp-payload-size/output | 6 +++++ testing/btest/Traces/ntp.pcap | Bin 0 -> 1296 bytes testing/btest/signatures/dst-ip-cidr-v4.bro | 17 +++++++++++++ testing/btest/signatures/udp-payload-size.bro | 23 ++++++++++++++++++ 9 files changed, 63 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/signatures.dst-ip-cidr-v4/output create mode 100644 testing/btest/Baseline/signatures.udp-payload-size/output create mode 100644 testing/btest/Traces/ntp.pcap create mode 100644 testing/btest/signatures/dst-ip-cidr-v4.bro create mode 100644 testing/btest/signatures/udp-payload-size.bro diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 40ef5f0ad1..9df70f118b 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -89,6 +89,10 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state, // on the pure rules now. return false; + if ( state->PayloadSize() == 0 ) + // We are interested in the first non-empty chunk. + return false; + uint32 payload_size = uint32(state->PayloadSize()); switch ( comp ) { diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index c88bb77a4f..3ee7306fb5 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -144,7 +144,7 @@ bool RuleHdrTest::operator==(const RuleHdrTest& h) void RuleHdrTest::PrintDebug() { static const char* str_comp[] = { "<=", ">=", "<", ">", "==", "!=" }; - static const char* str_prot[] = { "", "ip", "icmp", "tcp", "udp" }; + static const char* str_prot[] = { "", "ip", "ipv6", "icmp", "icmpv6", "tcp", "udp", "next", "ipsrc", "ipdst" }; fprintf(stderr, " RuleHdrTest %s[%d:%d] %s", str_prot[prot], offset, size, str_comp[comp]); @@ -1095,10 +1095,10 @@ void RuleMatcher::ExecRule(Rule* rule, RuleEndpointState* state, bool eos) void RuleMatcher::ClearEndpointState(RuleEndpointState* state) { - state->payload_size = -1; - ExecPureRules(state, 1); + state->payload_size = -1; + loop_over_list(state->matchers, j) state->matchers[j]->state->Clear(); } diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index b16a1556f9..23b7e6d731 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -72,6 +72,7 @@ extern uint32 id_to_uint(const char* id); class RuleHdrTest { public: + // Note: Adapt RuleHdrTest::PrintDebug() when changing these enums. enum Comp { LE, GE, LT, GT, EQ, NE }; enum Prot { NOPROT, IP, IPv6, ICMP, ICMPv6, TCP, UDP, NEXT, IPSrc, IPDst }; diff --git a/src/rule-parse.y b/src/rule-parse.y index 32ada02cb3..3e9c8d7ddf 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -14,7 +14,7 @@ extern void end_PS(); Rule* current_rule = 0; const char* current_rule_file = 0; -static uint8_t mask_to_len(uint32_t mask) +static uint8_t ip4_mask_to_len(uint32_t mask) { if ( mask == 0xffffffff ) return 32; @@ -23,7 +23,7 @@ static uint8_t mask_to_len(uint32_t mask) uint8_t len; for ( len = 0; len < 32 && (! (x & (1 << len))); ++len ); - return len; + return 32 - len; } %} @@ -315,7 +315,7 @@ prefix_value: TOK_IP { $$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host), - mask_to_len($1.mask)); + ip4_mask_to_len($1.mask)); } | TOK_IP6 ; diff --git a/testing/btest/Baseline/signatures.dst-ip-cidr-v4/output b/testing/btest/Baseline/signatures.dst-ip-cidr-v4/output new file mode 100644 index 0000000000..eb07f77921 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-cidr-v4/output @@ -0,0 +1,6 @@ +match, foo +match, foo +match, foo +match, foo +match, foo +match, foo diff --git a/testing/btest/Baseline/signatures.udp-payload-size/output b/testing/btest/Baseline/signatures.udp-payload-size/output new file mode 100644 index 0000000000..2ae3bbde9f --- /dev/null +++ b/testing/btest/Baseline/signatures.udp-payload-size/output @@ -0,0 +1,6 @@ +match, foo2 +match, foo2 +match, foo2 +match, foo2 +match, foo2 +match, foo2 diff --git a/testing/btest/Traces/ntp.pcap b/testing/btest/Traces/ntp.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cc80d04afdd329b9a8ed2b0bf10ea4e3e7345196 GIT binary patch literal 1296 zcmca|c+)~A1{MYcU}0bcaxzqzBHGH>8KQt}5N1$vG#1*#A{xXhC(gm(%D~{G_LqUd zL9lA^ffbDLf`3{5GE@Vhg;m321`d#Vg5dU=#V^W_aI68@G*OfTZWF`~hBm%%pH_B3{ZtFF$?FLzeris9s|B*@*AawGn0}h74)W8bA3#6VBK-991{OcPkg~`r z0QmuAGKlV-F!K3s2csP$Q$fkWB zOmLep{q+7W$WMuf1pi7Q#gpeNBtJR9;%Q@Ytt-$EV3R?#qIBm8FfH?tWf#zoutput +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE a.sig +signature foo { + dst-ip == 17.0.0.0/8 + ip-proto == udp + event "match" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print "match", state$sig_id; + } + +@load-sigs ./a.sig diff --git a/testing/btest/signatures/udp-payload-size.bro b/testing/btest/signatures/udp-payload-size.bro new file mode 100644 index 0000000000..efc5411feb --- /dev/null +++ b/testing/btest/signatures/udp-payload-size.bro @@ -0,0 +1,23 @@ +# @TEST-EXEC: bro -r $TRACES/ntp.pcap %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE a.sig +signature foo1 { + ip-proto == udp + payload-size < 1 + event "match" +} + +signature foo2 { + ip-proto == udp + payload-size > 0 + event "match" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print "match", state$sig_id; + } + +@load-sigs ./a.sig From 3d1f35f85b71bdcb528ced0e0d40945c6337d0ec Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 20 Oct 2016 11:53:34 -0400 Subject: [PATCH 050/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index f944471bec..741f6aefce 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit f944471bec062876aa18317f51b6fbe5325ca166 +Subproject commit 741f6aefce5758d7a62ac5be05f4c750afb5e463 From 99cd34f57d2fe2c86bfd831096a7d4ddcbf05d2d Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 21 Oct 2016 09:33:04 -0500 Subject: [PATCH 051/288] Python 3 compatibility fix for coverage-calc script --- testing/scripts/coverage-calc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc index cc5253c75c..df12e0c86f 100755 --- a/testing/scripts/coverage-calc +++ b/testing/scripts/coverage-calc @@ -56,4 +56,4 @@ for k in stats: num_covered += 1 if len(stats) > 0: - print "%s/%s (%.1f%%) Bro script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100) + print("%s/%s (%.1f%%) Bro script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100)) From e4b620673b50469c72f794e174aa43c46d5751e5 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 24 Oct 2016 03:22:20 -0400 Subject: [PATCH 052/288] More DCE_RPC improvements. - The logic for fragment handling has been rewritten and should be correct now. - There are now tunables for fragment handling overflow situations. - DCE_RPC::max_cmd_reassembly and DCE_RPC::max_frag_data - They result in weirds and analyzer removal. - Memory leak fixed by unique_ptr auto cleanup. - DCE_RPC is now intolerate of content gaps and will stop analyzing traffic if content gaps happen (like most other analyzers currently). --- scripts/base/protocols/dce-rpc/consts.bro | 10 +++ src/analyzer/protocol/dce-rpc/CMakeLists.txt | 2 +- src/analyzer/protocol/dce-rpc/DCE_RPC.cc | 8 +++ src/analyzer/protocol/dce-rpc/DCE_RPC.h | 1 + src/analyzer/protocol/dce-rpc/consts.bif | 2 + .../protocol/dce-rpc/dce_rpc-protocol.pac | 65 +++++++++++++++---- src/analyzer/protocol/dce-rpc/dce_rpc.pac | 1 + 7 files changed, 76 insertions(+), 13 deletions(-) create mode 100644 src/analyzer/protocol/dce-rpc/consts.bif diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index 0cbb8a30b6..545828d776 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -2,6 +2,16 @@ module DCE_RPC; export { + ## The maximum number of simultaneous fragmented commands that + ## the analyzer will tolerate before the analyzer will generate + ## a weird and remove itself from the connection. + const max_cmd_reassembly = 20 &redef; + + ## The maximum number of fragmented bytes that will be tolerated + ## on a command before the analyzer will generate a weird and + ## remove itself from the connection. + const max_frag_data = 30000 &redef; + const uuid_endpoint_map: table[string] of string = { ["367abb81-9844-35f1-ad32-98f038001003"] = "svcctl", ["86d35949-83c9-4044-b424-db363231fd0c"] = "ITaskSchedulerService", diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index 79ec16ada6..c7f9a940e0 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) -bro_plugin_bif(types.bif events.bif) +bro_plugin_bif(consts.bif types.bif events.bif) bro_plugin_pac( dce_rpc.pac dce_rpc-protocol.pac diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc index e93a2541f7..f7a96fbb6e 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc @@ -16,6 +16,7 @@ using namespace analyzer::dce_rpc; DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection *conn) : tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { + had_gap = false; interp = new binpac::DCE_RPC::DCE_RPC_Conn(this); } @@ -41,6 +42,7 @@ void DCE_RPC_Analyzer::EndpointEOF(bool is_orig) void DCE_RPC_Analyzer::Undelivered(uint64 seq, int len, bool orig) { TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + had_gap = true; interp->NewGap(orig, len); } @@ -49,6 +51,12 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); + + if ( had_gap ) + // If only one side had a content gap, we could still try to + // deliver data to the other side if the script layer can handle this. + return; + try { interp->NewData(orig, data, data + len); diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h index 714607f5e2..498e055e0a 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -29,6 +29,7 @@ public: { return new DCE_RPC_Analyzer(conn); } protected: + bool had_gap; binpac::DCE_RPC::DCE_RPC_Conn* interp; }; diff --git a/src/analyzer/protocol/dce-rpc/consts.bif b/src/analyzer/protocol/dce-rpc/consts.bif new file mode 100644 index 0000000000..68b052d84b --- /dev/null +++ b/src/analyzer/protocol/dce-rpc/consts.bif @@ -0,0 +1,2 @@ +const DCE_RPC::max_cmd_reassembly: count; +const DCE_RPC::max_frag_data: count; \ No newline at end of file diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index 5fe9380422..14f8a6d8a5 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -37,7 +37,7 @@ type DCE_RPC_PDU(is_orig: bool) = record { # Subtract an extra 8 when there is an auth section because we have some "auth header" fields in that structure. body_length : int = header.frag_length - sizeof(header) - header.auth_length - (header.auth_length > 0 ? 8 : 0); frag_reassembled : bool = $context.flow.reassemble_fragment(header, frag); - body : DCE_RPC_Body(header) withinput $context.flow.reassembled_body(header, frag) &if(header.lastfrag); + body : DCE_RPC_Body(header) withinput $context.flow.reassembled_body(header, frag) &if(frag_reassembled); } &byteorder = header.byteorder, &length = header.frag_length; type NDR_Format = record { @@ -174,23 +174,65 @@ flow DCE_RPC_Flow(is_orig: bool) { flowunit = DCE_RPC_PDU(is_orig) withcontext(connection, this); %member{ - std::map fb; + std::map> fb; %} # Fragment reassembly. function reassemble_fragment(header: DCE_RPC_Header, frag: bytestring): bool %{ - if ( ${header.firstfrag} && !${header.lastfrag} && - fb.count(${header.call_id}) == 0 ) - fb[${header.call_id}] = new FlowBuffer(); + if ( ${header.firstfrag} ) + { + if ( ${header.lastfrag} ) + { + // all-in-one packet + return true; + } + else + { + // first frag, but not last so we start a flowbuffer + fb[${header.call_id}] = std::unique_ptr(new FlowBuffer()); + fb[${header.call_id}]->NewFrame(0, true); + fb[${header.call_id}]->BufferData(frag.begin(), frag.end()); - if ( fb.count(${header.call_id}) == 0 ) + if ( fb.size() > BifConst::DCE_RPC::max_cmd_reassembly ) + { + reporter->Weird(connection()->bro_analyzer()->Conn(), + "too_many_dce_rpc_msgs_in_reassembly"); + connection()->bro_analyzer()->Remove(); + } + + if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) + { + reporter->Weird(connection()->bro_analyzer()->Conn(), + "too_much_dce_rpc_fragment_data"); + connection()->bro_analyzer()->Remove(); + } + + return false; + } + } + else if ( fb.count(${header.call_id}) > 0 ) + { + // not the first frag, but we have a flow buffer so add to it + fb[${header.call_id}]->BufferData(frag.begin(), frag.end()); + + if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) + { + reporter->Weird(connection()->bro_analyzer()->Conn(), + "too_much_dce_rpc_fragment_data"); + connection()->bro_analyzer()->Remove(); + } + + return ${header.lastfrag}; + } + else + { + // no flow buffer and not a first frag, ignore it. return false; + } - auto frag_reassembler_ = fb[${header.call_id}]; - frag_reassembler_->BufferData(frag.begin(), frag.end()); - - return (!${header.firstfrag} && ${header.lastfrag}); + // can't reach here. + return false; %} function reassembled_body(h: DCE_RPC_Header, body: bytestring): const_bytestring @@ -200,10 +242,9 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( fb.count(${h.call_id}) > 0 ) { bd = const_bytestring(fb[${h.call_id}]->begin(), fb[${h.call_id}]->end()); - delete fb[${h.call_id}]; fb.erase(${h.call_id}); } - + return bd; %} }; diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac index f4a54a1e62..87070e6216 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc.pac @@ -2,6 +2,7 @@ %include bro.pac %extern{ +#include "consts.bif.h" #include "types.bif.h" #include "events.bif.h" %} From c88719472bd37a2818b06121733cb836430227f4 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 24 Oct 2016 13:44:44 -0400 Subject: [PATCH 053/288] Stop calling Remove() on DCE_RPC analyzer. This was crashing Bro when it was called on DCE_RPC traffic carried over SMB. --- src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index 14f8a6d8a5..e135dfaf31 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -198,14 +198,12 @@ flow DCE_RPC_Flow(is_orig: bool) { { reporter->Weird(connection()->bro_analyzer()->Conn(), "too_many_dce_rpc_msgs_in_reassembly"); - connection()->bro_analyzer()->Remove(); } if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) { reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); - connection()->bro_analyzer()->Remove(); } return false; @@ -220,7 +218,6 @@ flow DCE_RPC_Flow(is_orig: bool) { { reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); - connection()->bro_analyzer()->Remove(); } return ${header.lastfrag}; From 36ae5e6662bae806c5c3316ea051dffa5ddb0f29 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 24 Oct 2016 13:50:13 -0400 Subject: [PATCH 054/288] Make DCE_RPC skip input in strange fragment circumstances. If there are too many concurrent fragments or too much data fragmented, skip further input on DCE_RPC. --- scripts/base/protocols/dce-rpc/consts.bro | 4 ++-- src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index 545828d776..e238ad55e4 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -4,12 +4,12 @@ module DCE_RPC; export { ## The maximum number of simultaneous fragmented commands that ## the analyzer will tolerate before the analyzer will generate - ## a weird and remove itself from the connection. + ## a weird and skip further input. const max_cmd_reassembly = 20 &redef; ## The maximum number of fragmented bytes that will be tolerated ## on a command before the analyzer will generate a weird and - ## remove itself from the connection. + ## skip further input. const max_frag_data = 30000 &redef; const uuid_endpoint_map: table[string] of string = { diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index e135dfaf31..129bb11626 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -198,12 +198,14 @@ flow DCE_RPC_Flow(is_orig: bool) { { reporter->Weird(connection()->bro_analyzer()->Conn(), "too_many_dce_rpc_msgs_in_reassembly"); + connection()->bro_analyzer()->SetSkip(true); } if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) { reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); + connection()->bro_analyzer()->SetSkip(true); } return false; @@ -218,6 +220,7 @@ flow DCE_RPC_Flow(is_orig: bool) { { reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); + connection()->bro_analyzer()->SetSkip(true); } return ${header.lastfrag}; From 89f9315fb0a64759fb878d375a8cc00479a980cb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 24 Oct 2016 11:54:47 -0700 Subject: [PATCH 055/288] XMPP: Fix detection of StartTLS when using namespaces the starttls command will sometimes be issued with a namespace, e.g. as . The XMPP analyzer did not handle this scenario correctly. This is very similar to the following ejabberd bug: https://support.process-one.net/browse/EJAB-1123 --- src/analyzer/protocol/xmpp/xmpp-analyzer.pac | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac index 3240b57bb3..5253ce050b 100644 --- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac +++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac @@ -11,6 +11,11 @@ refine connection XMPP_Conn += { function proc_xmpp_token(is_orig: bool, name: bytestring, rest: bytestring): bool %{ string token = std_str(name); + // Result will either be text after ":" or original string; this discards the namespace + string token_no_ns = std_str(name); + auto offset = token_no_ns.find(":"); + if ( offset != std::string::npos && token_no_ns.length() > offset + 1 ) + token_no_ns = token_no_ns.substr(offset + 1); if ( is_orig && token == "stream:stream" ) // Yup, looks like xmpp... @@ -21,10 +26,10 @@ refine connection XMPP_Conn += { // Handshake has passed the phase where we should see StartTLS. Simply skip from hereon... bro_analyzer()->SetSkip(true); - if ( is_orig && token == "starttls" ) + if ( is_orig && ( token == "starttls" || token_no_ns == "starttls" ) ) client_starttls = true; - if ( !is_orig && token == "proceed" && client_starttls ) + if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls ) { bro_analyzer()->StartTLS(); BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); @@ -32,7 +37,7 @@ refine connection XMPP_Conn += { else if ( !is_orig && token == "proceed" ) reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls"); - //printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest)); + // printf("Processed: %d %s %s %s \n", is_orig, c_str(name), c_str(rest), token_no_ns.c_str()); return true; %} From 8276c250bd931062b921a5d635945d27812fc19b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 25 Oct 2016 02:52:09 -0400 Subject: [PATCH 056/288] Updates for SMB auth handling from Martin van Hensbergen. - Raw NTLM (not in GSSAPI) over SMB is now handled correctly. - The encrypted NTLM session key is now passed into scriptland through the ntlm_authenticate event. --- scripts/base/init-bare.bro | 8 +++--- src/analyzer/protocol/ntlm/ntlm-analyzer.pac | 5 +++- src/analyzer/protocol/ntlm/ntlm-protocol.pac | 2 +- src/analyzer/protocol/smb/smb-gssapi.pac | 27 ++++++++++++++++++-- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 1f15a3fe81..a898ceb88c 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2505,11 +2505,13 @@ export { ## The negotiate flags flags : NTLM::NegotiateFlags; ## The domain or computer name hosting the account - domain_name : string; + domain_name : string &optional; ## The name of the user to be authenticated. - user_name : string; + user_name : string &optional; ## The name of the computer to which the user was logged on. - workstation : string; + workstation : string &optional; + ## The session key + session_key : string &optional; ## The Windows version information, if supplied version : NTLM::Version &optional; }; diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index e1850f8b45..55756b61e9 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -148,8 +148,11 @@ refine connection NTLM_Conn += { if ( ${val}->has_workstation() > 0 ) result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); + if ( ${val}->has_encrypted_session_key() > 0 ) + result->Assign(4, bytestring_to_val(${val.encrypted_session_key.string.data})); + if ( ${val}->has_version() ) - result->Assign(4, build_version_record(${val.version})); + result->Assign(5, build_version_record(${val.version})); BifEvent::generate_ntlm_authenticate(bro_analyzer(), bro_analyzer()->Conn(), diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac index c553330760..8862be1f22 100644 --- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac +++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac @@ -61,7 +61,7 @@ type NTLM_Authenticate(offset: uint16) = record { domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0); user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0); workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0); - encrypted_session_key : NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_key_exch); + encrypted_session_key : NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(encrypted_session_key_fields.length > 0); }; type NTLM_Version = record { diff --git a/src/analyzer/protocol/smb/smb-gssapi.pac b/src/analyzer/protocol/smb/smb-gssapi.pac index 0a933e8286..2bde6e9e8f 100644 --- a/src/analyzer/protocol/smb/smb-gssapi.pac +++ b/src/analyzer/protocol/smb/smb-gssapi.pac @@ -2,10 +2,12 @@ refine connection SMB_Conn += { %member{ analyzer::Analyzer *gssapi; + analyzer::Analyzer *ntlm; %} %init{ gssapi = 0; + ntlm = 0; %} %cleanup{ @@ -14,6 +16,12 @@ refine connection SMB_Conn += { gssapi->Done(); delete gssapi; } + + if ( ntlm ) + { + ntlm->Done(); + delete ntlm; + } %} function forward_gssapi(data: bytestring, is_orig: bool): bool @@ -21,9 +29,24 @@ refine connection SMB_Conn += { if ( ! gssapi ) gssapi = analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer()->Conn()); - if ( gssapi ) - gssapi->DeliverStream(${data}.length(), ${data}.begin(), is_orig); + if ( ! ntlm ) + ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); + // SMB allows raw NTLM instead of GSSAPI in certain messages. + // We check if this is the case and run the NTLM analyzer directly. + if ( ${data}.length() >= 8 ) + { + if ( strncmp((const char*)${data}.begin(), "NTLMSSP",7) == 0 ) + { + if ( ntlm ) + ntlm->DeliverStream(${data}.length(), ${data}.begin(), is_orig); + } + else + { + if ( gssapi ) + gssapi->DeliverStream(${data}.length(), ${data}.begin(), is_orig); + } + } return true; %} }; From 860cfa7002bdf6f72cf9de5604a4f74c18c92299 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 25 Oct 2016 09:32:11 -0700 Subject: [PATCH 057/288] Update submodule [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 625dbecfd6..17d1c15476 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 625dbecfd63022d79a144b9651085e68cdf99ce4 +Subproject commit 17d1c1547678bfd54ef1202db5415bc85c7ae794 From 3284e92677e7c3266d6cf350702009c618e5b2f9 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 25 Oct 2016 10:21:57 -0700 Subject: [PATCH 058/288] NEWS file tweaks: input error events & OpenFlow. These were pointed out by Daniel. --- NEWS | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 34d942a7db..c4aeb6133a 100644 --- a/NEWS +++ b/NEWS @@ -41,6 +41,9 @@ New Functionality New log files: net_control.log, netcontrol_catch_release.log, netcontrol_drop.log, and netcontrol_shunt.log. +- Bro now includes the OpenFlow framework which exposes the datastructures + necessary to interface to OpenFlow capable hardware. + - Bro's Intelligence Framework was refactored and new functionality has been added: @@ -154,8 +157,10 @@ New Functionality - The pcap buffer size can be set through the new option Pcap::bufsize. -- Input framework readers Table and Event can now define a custom - event to receive logging messages. +- Input framework readers stream types Table and Event can now define a custom + event (specified by the new "error_ev" field) to receive error messages + emitted by the input stream. This can, e.g., be used to raise notices in + case errors occur when reading an important input source. - The logging framework now supports user-defined record separators, renaming of column names, as well as extension data columns that can From 1f36ae61bac816af34aa1e23128958e664facd30 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 25 Oct 2016 16:44:50 -0700 Subject: [PATCH 059/288] Adding one more case to the DCE_RPC defrag logic. (and fixing a couple of compiler warnings) --- aux/btest | 2 +- scripts/base/protocols/dce-rpc/consts.bro | 12 +++++----- src/analyzer/protocol/dce-rpc/CMakeLists.txt | 2 +- .../protocol/dce-rpc/dce_rpc-protocol.pac | 23 +++++++++++++------ 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/aux/btest b/aux/btest index 17d1c15476..625dbecfd6 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 17d1c1547678bfd54ef1202db5415bc85c7ae794 +Subproject commit 625dbecfd63022d79a144b9651085e68cdf99ce4 diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index e238ad55e4..62cef37646 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -7,8 +7,8 @@ export { ## a weird and skip further input. const max_cmd_reassembly = 20 &redef; - ## The maximum number of fragmented bytes that will be tolerated - ## on a command before the analyzer will generate a weird and + ## The maximum number of fragmented bytes that will be tolerated + ## on a command before the analyzer will generate a weird and ## skip further input. const max_frag_data = 30000 &redef; @@ -100,15 +100,15 @@ export { ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi", } &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); }; - ## This table is to map pipe names to the most common - ## service used over that pipe. It helps in cases + ## This table is to map pipe names to the most common + ## service used over that pipe. It helps in cases ## where the pipe binding wasn't seen. const pipe_name_to_common_uuid: table[string] of string = { ["winreg"] = "338cd001-2244-31f1-aaaa-900038001003", ["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab", ["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188", } &redef; - + const operations: table[string,count] of string = { # atsvc ["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd", @@ -1470,7 +1470,7 @@ export { ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x14] = "DRSAddSidHistory", ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x15] = "DRSGetMemberships2", ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x16] = "DRSReplicaVerifyObjects", - ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence", + ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence", ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x18] = "DRSQuerySitesByCost", # winspipe diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index c7f9a940e0..959e6ac87c 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -7,7 +7,7 @@ bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) bro_plugin_bif(consts.bif types.bif events.bif) bro_plugin_pac( - dce_rpc.pac + dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac dce_rpc-auth.pac diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index 129bb11626..921b4ba51f 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -182,12 +182,21 @@ flow DCE_RPC_Flow(is_orig: bool) { %{ if ( ${header.firstfrag} ) { + if ( fb.count(${header.call_id}) > 0 ) + { + // We already had a first frag earlier. + reporter->Weird(connection()->bro_analyzer()->Conn(), + "multiple_first_fragments_in_dce_rpc_reassembly"); + connection()->bro_analyzer()->SetSkip(true); + return false; + } + if ( ${header.lastfrag} ) { // all-in-one packet return true; } - else + else { // first frag, but not last so we start a flowbuffer fb[${header.call_id}] = std::unique_ptr(new FlowBuffer()); @@ -196,14 +205,14 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( fb.size() > BifConst::DCE_RPC::max_cmd_reassembly ) { - reporter->Weird(connection()->bro_analyzer()->Conn(), + reporter->Weird(connection()->bro_analyzer()->Conn(), "too_many_dce_rpc_msgs_in_reassembly"); connection()->bro_analyzer()->SetSkip(true); } - if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) + if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data ) { - reporter->Weird(connection()->bro_analyzer()->Conn(), + reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); connection()->bro_analyzer()->SetSkip(true); } @@ -216,9 +225,9 @@ flow DCE_RPC_Flow(is_orig: bool) { // not the first frag, but we have a flow buffer so add to it fb[${header.call_id}]->BufferData(frag.begin(), frag.end()); - if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) + if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data ) { - reporter->Weird(connection()->bro_analyzer()->Conn(), + reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); connection()->bro_analyzer()->SetSkip(true); } @@ -244,7 +253,7 @@ flow DCE_RPC_Flow(is_orig: bool) { bd = const_bytestring(fb[${h.call_id}]->begin(), fb[${h.call_id}]->end()); fb.erase(${h.call_id}); } - + return bd; %} }; From b7a774ab289e3a2d2a844ae832a4cd0d411a6411 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 25 Oct 2016 16:50:48 -0700 Subject: [PATCH 060/288] Moved the DCE_RPC constants into init-bare.bro. --- scripts/base/init-bare.bro | 13 +++++++++++++ scripts/base/protocols/dce-rpc/consts.bro | 10 ---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 1f15a3fe81..60697b8c01 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4381,6 +4381,19 @@ export { const bufsize = 128 &redef; } # end export +module DCE_RPC; +export { + ## The maximum number of simultaneous fragmented commands that + ## the DCE_RPC analyzer will tolerate before the it will generate + ## a weird and skip further input. + const max_cmd_reassembly = 20 &redef; + + ## The maximum number of fragmented bytes that the DCE_RPC analyzer + ## will tolerate on a command before the analyzer will generate a weird + ## and skip further input. + const max_frag_data = 30000 &redef; +} + module GLOBAL; ## Seed for hashes computed internally for probabilistic data structures. Using diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index 62cef37646..d9e0993b03 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -2,16 +2,6 @@ module DCE_RPC; export { - ## The maximum number of simultaneous fragmented commands that - ## the analyzer will tolerate before the analyzer will generate - ## a weird and skip further input. - const max_cmd_reassembly = 20 &redef; - - ## The maximum number of fragmented bytes that will be tolerated - ## on a command before the analyzer will generate a weird and - ## skip further input. - const max_frag_data = 30000 &redef; - const uuid_endpoint_map: table[string] of string = { ["367abb81-9844-35f1-ad32-98f038001003"] = "svcctl", ["86d35949-83c9-4044-b424-db363231fd0c"] = "ITaskSchedulerService", From b0a258630956d19d56553f26eee5aeed48304420 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 25 Oct 2016 17:06:07 -0700 Subject: [PATCH 061/288] Updating tests. --- .../canonified_loaded_scripts.log | 5 +++-- .../canonified_loaded_scripts.log | 5 +++-- testing/btest/Baseline/plugins.hooks/output | 20 ++++++++++--------- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index fc4caff34e..71c1743860 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2016-10-07-19-25-03 +#open 2016-10-26-00-05-53 #fields name #types string scripts/base/init-bare.bro @@ -63,6 +63,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro @@ -167,4 +168,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2016-10-07-19-25-03 +#close 2016-10-26-00-05-53 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 603e9d7007..3e2a83dfd2 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2016-10-07-19-25-14 +#open 2016-10-26-00-05-59 #fields name #types string scripts/base/init-bare.bro @@ -63,6 +63,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro @@ -355,4 +356,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2016-10-07-19-25-14 +#close 2016-10-26-00-05-59 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 177cdfb0d7..76a47699a4 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1477440372.840195, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1477440372.840195, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -410,7 +410,7 @@ 0.000000 MetaHookPost CallFunction(reading_live_traffic, , ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, , ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(strftime, , (%Y, 1475869873.545611)) -> +0.000000 MetaHookPost CallFunction(strftime, , (%Y, 1477440372.839693)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> 0.000000 MetaHookPost CallFunction(to_count, , (2016)) -> @@ -427,6 +427,7 @@ 0.000000 MetaHookPost LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_ConnSize.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_ConnSize.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.consts.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_DHCP.events.bif.bro) -> -1 @@ -966,7 +967,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1477440372.840195, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1096,7 +1097,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1477440372.840195, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1129,7 +1130,7 @@ 0.000000 MetaHookPre CallFunction(reading_live_traffic, , ()) 0.000000 MetaHookPre CallFunction(reading_traces, , ()) 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(strftime, , (%Y, 1475869873.545611)) +0.000000 MetaHookPre CallFunction(strftime, , (%Y, 1477440372.839693)) 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) 0.000000 MetaHookPre CallFunction(to_count, , (2016)) @@ -1146,6 +1147,7 @@ 0.000000 MetaHookPre LoadFile(./Bro_BitTorrent.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_ConnSize.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_ConnSize.functions.bif.bro) +0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.consts.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_DHCP.events.bif.bro) @@ -1684,7 +1686,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1477440372.840195, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1814,7 +1816,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1477440372.840195, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -1847,7 +1849,7 @@ 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction strftime(%Y, 1475869873.545611) +0.000000 | HookCallFunction strftime(%Y, 1477440372.839693) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) 0.000000 | HookCallFunction to_count(2016) From a836ece4e634181f28d966b0695e8072b8b79dea Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 26 Oct 2016 10:41:08 -0400 Subject: [PATCH 062/288] Including a test for raw NTLM in SMB --- .../scripts.base.protocols.smb.raw-ntlm/.stdout | 1 + testing/btest/Traces/smb/raw_ntlm_in_smb.pcap | Bin 0 -> 27214 bytes .../scripts/base/protocols/smb/raw-ntlm.test | 14 ++++++++++++++ 3 files changed, 15 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout create mode 100644 testing/btest/Traces/smb/raw_ntlm_in_smb.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/raw-ntlm.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout new file mode 100644 index 0000000000..054c38f738 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout @@ -0,0 +1 @@ +\xebr\x96\x86\xfc\xaa\xcf\xad\xb14\x18\xfaIG`\xde diff --git a/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap b/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8a40175db43205065dfbccfc3d006cf7146778de GIT binary patch literal 27214 zcmeHPd3;pm)qd|xHbY>NU?2g6fedRPBq6M_Bq0e&O&~}FBoPRksO({J#V9CP_YD=0 zB6R`9h>8eqU_qr)tAJY(tZkuMV+E>~oqW&p-X(LFxfAX8>-W!h^Lyt`?!EK8=bY!9 z^R6==?|kVAkBATrM}$!D&kfrn#zcSU5ySDGB}Q~E?9wDwbe8W6gvfb6GDqY@Ek3hj zeLn?d>VdP$n|t5i+Yb+jO`iJtwjT@OiHO{+c)gK|5)&JnvU(NoMR-*7rLO2_ju5@H zwSj(4+__{$lX@M!SG7C(8y_{uu1ie~VgzMZAbU+z^jXTy8k9E=oPF?g^hJ=r|E9## z$I=_n1!ZTgJQO9uL(6>Ujvgh^X&H$w?mTdA(bw(1Ua}%i5WTR%klhj8yVoP~P#cTQ z?%C0;Xqns}49lo??+^Lg*2Kpry*!n2HrSi;`dtwVt|y}RK?70RI!-|5Z-}_3)Q;G} z74dJ9y{VlI#9$c{AmbD};y_o#)dwl##tZ{7SVkc3DX}9i+}Gd(Haq6jClayvdjs*j z@@8FayDP{u{dddn4VE1J_a&g~EZICPTZyI*#6$r-*u&bw!v@qOoIdvY=c>Fy#J#}C zAWQGNBgRO?NF7o0s&C*`3K943up_qL-yoyS0@<_cX@NgAH7uaAGytB|j=VqpvSHKJ zl#?=!aYY;m&(Dc!8f_q|EGh7$e-QC4WB|=K4a9CAH?U;0V~%oxjHQ#h)`-;efz$!H zU}`*L$=k+Y$uX9u0$pdxZh;H`PI@-A;0EU%ik76I{2_y~&)@uqD) zBHp{%us|?ka(vPgubL47QcyptG;bc>h!|xzPx?_`uZVhPybi)Myxd<>>d#2e%n}|v z?$1ik$S~dx88SpB?1w+`2VTZE5^NWGY~T$h!tOGDO7U55|h86d{Y1 zY~>N93CWK7jfL!0b+!HikbObBdsTg*>%rI*>a0wV`nC{ahXdL0O%YKqCZNJ^MYf{r z=YcS7@yAv_((~&{f7tQbM?WrZc?|!`<00{o7>#$4N*6YwzH&6bqeQvr0j2tie7xp~ zp`sVg1){(30LlFcCF~Oscw)YoDys3?Lrg<0Q}8+oM(&04RMg@P`$UvbJ3&%~G2$vQ z3m~(_B7piuZ^@1j*6UedhJSuhB687Z@=I=Kf!`}pE#jM`Z3k(g-M-{Bo%C#?*-8Bc zfz*r7!|kK5)FMJZsEn1Wc=NOvq$kLPvcBC8H;la{ubgKkH5v*c|9-~CVE(0+5d`z zBg+ylz2(rLu3I9P^>%j(o$fr?Jx^SYG6H{>0NeTS#CCsZ&&f}#rtjUBF@4e40!3;d zM9qc)`T0edK=`xDyNehC1rzt+@T{vmZYHVs`TB;$aiN{14Jl>&Ifn>!^ptnuf&lN?Z;* z+RM#p=;HHrwH>N!l23dw`%+UHf)9!XhW|OHAq-aP#R8dFe`OEC|0p<1pi1cAyzMYU zX=fL6D0Qd~qz+t!;Eb3uQB?)ODMRTN1m}+}eBw#y#9|FjvEuy=L|n|#lRAQueFY6M zIX>d_Ejr?>7pcK1#?v?pfacU!5HVgFhgB)acA^r0ZXQx8ibWaHZvY=b7XqCK%G@g1 zC*zW_X(M!w(o_<<%S`CNMIiJO5PIEkEulc(A7WD|x9DfcY$23w3T2M2hx4MVga25f zMRD0sd`?O;9MXj5WM>yz@V3Ji3w{DlUIr(gal1?w{DJzt3&dxE&SK+a^=}^_;!~Cs z+(AW5j`uwAlo=5qQ>foMys>hk>K7rB$%)K&Jj-K;b`~{w!?=dt@<0|B0-dQ!#P>Yp z$!e6zxJ1eKr})GNc+X;EX1mf%GBe-8%*%DPse`~w!k!3K@*rlG8In6P6Ct|Qi)E-R zN0$!oLmoA}V@Ww4QI94o#IZ_A6fCN8$Dmwjq7$P?OW%fpg$$L{L4njkgKOe_=Pv)$ zObgAmua!^y73eHBqCXzJnuy0gGP{n3m>e%|nqVNdrO5!Yn&#?=H_k*yQu`v_Hd&z@ z*UE(ld0XUMPGZYs*cIR%k4VwP%jfw)I)d&es>v0xdqmbHb6V_I60aRMZ2PRgEax*3 zS1kW^U7O!0{N|e&krrPxkxoO6f7{w8euwugHV4_PU}%C|yx8m@g9gJv4%H<8d+x+? zlY>BOaigKJqk}}E7IflxumhMcUooH&MUf&-YQ>wnRx_Fl(Nt8H6_*uMR?k~ly%2t_ zJ60%-{s4{gfWczpF#F(>q^S&W_z;=8!fT)y9V|3A-f@h(DgVfrw>$ z9TDLbdmlCvUzBt8|OHA6`2I*QgI#d%FvCQ4D1E+)BKeAGqbdD zC0j&+u5CU(SB!y0Kq57juZ$=m%yQ;Jl9_VQ!bfEEX=k;m7or(&;NUqQl23yM3&ae_ z;)nFQKFm!*9EQ#HgWfU?-jat4EcS@}@k_=}dAd1%0*?n$hpa?I9v|HiTFS}ES7lZu zqSDp}y9rrrh*dFZM9g``5fKr&HP?&?psw`42)uF5)6uX=4ue2-{}ZVGDm=?#b$?Nz zB+&h%KQX)ikd<)%_u>9aliH}&Ypp7iW~x!Wqx+Lg8Fwk|+$>o&k9vQ-(xUhKu;kmY z5<+S7oAnK~vELl-}B@yeH|AV@l0TmIJyz8VHQCDRy1$NABF}%ZyKMbna z!G?*_h96sO_%>{K95%e-=^veKC@Xffp;7U7t~T5#yX>niUG~6n*bo!jupxTVnm0-t z-U?OjJlsUQ1hrUfHhl6o5wzikM=dr~5n;nE2n!YQwREl5FoW)ZiflHNSvcl`hAuli zIeeGB6a!r5j$(A&%f)4gea@)p9e8Rm{_jo1Qe0uNk+D!|F3H$xA>*66+KyG27&?}M z!Hbs9&%~xs3o+Qxz(R&1JMb5<13wtaYlC2Cjwva30P<8hW_2hTWx4}0h0YphFQ8RR zy=JR+tO}&&bOTT4Mm}${>Y3YsI6q&AAArunV6LxM*^&!9N0bYNs7WXsqG?$#evQAq z<7OpzYSMTO|6#!DFDxi1EX*$~7&^RQSbkAKLBX(sp#}N*`8XHm|7vKi@D~g(%r7V| zC@UCVP&hQ#`j?9eVZ)l#&rAaJ!JL8XPof;%D6G-lAEC_OSM zNz+6k-Ur0c1MKCqiMXS;BO*9?=7<>)`h^@|tNJzhg#+vv=+OA;f@+UfWbuY(Z~TdmHQ6Lg-*fm z?IbO?6q{-3lm?=YgXlBET9|1e;)ZO+Wq=)kBj-c~#yTQ`=$!QiqMxncETM0M7j#NJ^Kdzcw5!a5%PRvgH;JKqhNiDeYj_3G@({Pj;U(s7}8(_DT z4zkeVAjjb#duozT-5&VLLOe;$b6qh=Oc2kNW%sYL9{ofko!&`v5M zyyERXHm_K3G_jUWsA{98^oDX&X7!44T;;Tjk~1~*0Gl6-Kp98?EEv&V`hbULxA{|k zf`@KndPsdAMV!Vp7F*}*J0)3q$RM+a#pYQj^RkH; zm1OoT4H2F-?NT!$OtHhTt)pi(qeso4%`Ew5hT&N^h4w6d5Ur!?nxgy9_N-)9Y&qy@ zoIvmp4TB(B40)Z!Y8&EwW8DbnLC3ovuS4P43BHEex}XirW;mq^tfiI1SJ^onUaS~n)6lO!*#V?TVhRNz>?pZyayZvSK4#sscYgpvp6BuxR+iPHZa(uZdGcV2R`>;elXtHAOh=A;~BhgSp3s|PABQ=GSdMZ~x3 z9TCCuibFP*Lr!t3y@CYcRkSHiDpWW~G3EuWL5?ZTHj<9_Ep!|L9lJrt9shdSMn}jg zPQ7~Alod}w#i1=Zq8If(^(Twoy925D5wPU>oQa0s9rSov8>EUYUMl+CN5uHij)<`2 zHOR#3^xRH~2r;E9bLj()@sh|pR3&Dxs|_!bHvGNWhWQb&;ZfLd($c$}Z73^tOq52& zS*SR)4S)EE8ecZhqVZAKFiqMJIKdiIl_fxgJhIqqxVY>CBA)ok5fL_gq|}TEphD)H zELzH9Lv@0%x$t>#4-4UZL_0iKdB7);UcG8J)T>aoCPNgl0ykJ}uDV=lE6u#hV&=5E z+HU<}=Hzrt$^>N&a4gCU*(_$(WkY+U%GD1~Cu{9diV$D?*clhlZ|>Y$o|!!a^q`bo zA!TSzu1%u_Kl+Q=g5COqlbgZGxgiV879`?GAcp4Taygbh`n)3|IJy6IGa@7n!^wp@ zCvl`kJ8YapN>09lY!BcO78@r^m3ESoH5N{81}94}yZ^`8&1{^MxN~wLv$@*Dkdq5F zPS9Z2qi0Z$OXNbIV5aqcaOGp!XXN8;%al{MCE(*j@-g@ev-ODBB}c*5MInnVMs8mz z5ug8?g%1@Gd~`TvMx?lg&Wc)?DcpKfe-gN>K(4H+F{B}v43m-S=d)uji>e9f0f#@s{PaY9qWQCZP+~5Et16+dQQ<83(wdM zRKP{JlY>^9c_!k;KwJYoSZtniU*cvW_CDu`NY4Se!TA~>W68=oym8L1Ewt%RkI|#k zjLA=k8Wi@X^=mTPBWY#Tht5LU5AdGF>O*3?(q6`Pl{vNxuyU7{$;G0I7gTB4I-^(H z0U#l#Jk@;LLfcd1f$s|O%X}u<&;}6ZLtlbYl}pNVBlj~TuAHd3|1?vPmKjJbECIP^ z2EJ%ek*aq;GJrT6RkGN~t?K?~BDUegR?y^@h6r-+{=|$3kdPfY)m$xw*Avu{`wG?T z3%oYADwGbAEz91#!V<7G9&GJAGS9>olnT98tyhm{=+x(3ExBhT^}gwKi{AJeMPW58 zd4AwHv))8(HB=FFY8IO%ANuosM7*kvBO)yM`ln_@fK)O}WFzgEVA00+7ZH`%9y=NA z&BVD1Gyiii@SckI)wnWAp6AQm7*+Vc8voD6-iT?M4c>voF2+xl#@`8v^)LKj-KMY_ z#(xXOpX_hxZ2XvP`-Xef__9|*Q`Mp3JP5&JGgbEZ2{hHWmcBvSTd15{F3w-P-)t%( zHp_Qw-S!p{anU@B@l`|^KXBBH2(iMnZYhmw-OhV~WMrnTknvXh&tmiS`AR^VdxOQ? z*q6~g9_CJXcD~Kr1KnG<6t-?W)YeU(5=O4XA^SlGArU!XvGdR;fmTbj%xrg$2M-4% z54mQmk%zbfw_e{}j}Y+LKZJBy75K&Baf=a`sU3ttC3 zg_Y%?9#RL{^P7f-P7xh(SG2&JXb~ZsaVD{R^n@m$%twmi<})=-_jydg&ITciEoN?1 zI!Vqf-w7I)4$gLgvnwXS`az>7$S?Ax?7mPb3d%xq@WzwYP0xqg@`CX~tKJUDLi2R% z7qsfTnHHXQfv1J!slT=^f<8uHy(#|J%We(GfpbKh`GO-Nc>1!T=Qc>=Nj4x<+PRHRW}cEIPnD7~xmwSjJJq7S`4F2w_F;p z?6konjbkU_RX2A2B)8|xv24%j5db^fW_zxGPs8U2>+F06#I2~F#TG@+?m+g=iCS)H zVKhXrbLtv1B0%Q3N6|&XmriX>QN%F8CnY{nvrBfl~>8f$+1 z9+%2l#_O(}b&;GsZq9-R zUyqf6)S@VI)^Cns;UPL_t=?3`E>zEA<7~_4Fs{MN*64nV`S zcJ1&;~R z-Mn(6o8NV#TN$JY9dGrUXu;x2vjuxH-u8i$^L@~#(fW0xbWV-{@mYw)VvD!c|12e9 zg=OwYLj)()-h$xgp$Az>*o3IM};S!G_Plh6|@Z zY_cIL531NQ`)a9pH!2S8$nn3X#{HI9G=46STI`oLZ0M|&>yDgwzt?5RvniH{k6O0s z^i&aH!@O#Pl?_^Qkwcz!w3OqJC)MW2itzAhdDP$)v5yvnhhM$ZoD&1-=%QT(XJ!LG z3-`$X%m=&%{|+>yOByV@-HZKowHZmEA#TxM4H}xm2Oz&ngOe+(vof4DlNCRKibK;d zu#85Fd(%uqMiOWkMjEnJ5jdZqhUayC+}iNwY`( z(d_-j!(jH=SbKP>_-m`#J#mJt7VlTh9$>?}8!n*^Gj}WO*$eRrmPTUKA8W|L&5812 z_<3dRG2_IMHxvnT(EZdS+`P3Fi1-oKi?;vM;o$1Q-YXBio{#!uZVg^j(brhEsE^4} z7TLSz2ov2Gs8 zn3c%In70hSgHeF?KNB^SV72ZNT<5f^I^}Br`dd2sdb1!E4|-Uehuz{UV-=$z*)oF6 zm>o#HWDMf#Xl6s}isregjIR+u+yrzMTYRm1?hPWY{;MUvR7Awrx=W1sl86Ag+VEM& zG}lr1XcTjNb&~OQwT!Q>xNGSjhvJ47ISKjC;}a~_m=nhoG~C3)|E90f8ZB42`A6-GWOHSOg-v`l zxTHD!<8%gAEw%of;UASi+zhQ)Z2s}|qftcM#2L@v{Hr3uKb~pGzq)_SqJ7uVPLBT3 zNoxj^8^3agIVP@;I>#@q;(f&Hww{+MePpEBM@pL4)n<<1dfwfbs?z%0Y!0D^2(zBo zNn6kJGW{C)>ewsZx1I78!+|qGJoMb9HumZ@+pBp!&kyDD@C=KMpzL-pkf5&P%>-qR z0Oe~y`I(;E?351%;%uO?*bu9}>_o(?EgSkYL{L8GpcxS$Vb=3H3$Hh5J?}GAuXkQ; z5nZ8RoQR0tY+-8+*t(JHdAqN-u@!P-mfDJThJ-S?{>#;p{~SfVE3A6o2ur@h&P&fp zX1!&)e$?wS7;17G5eNA#+^C4KjA}LBVnb|OOi0(Lc%*B;V?+3nDAE{36tE@Y8NgvF%r~;rcT;6iZomS z6knR5=;5J<%K$L|-~7%;(^`%~i$_1^77bnMXmNiBi^UHIQcJlp>}*#{}3_`1;@}a|78&a(KOLAp7I4 zrGad0CxRAgztSt3!J;fyX0fu8Et%!d9|jH4O0k(NYZ8`24&9q!Vir1y-G)An4Q5w1 zm`kNb{qVX}Y9hq_NO2Ag=Kp0Ui`L13bwX#;{2^pJf?fEa<}Paz{O1Jx=Twj3X10lV zGZ1${aTc5ZY?*Nj5f556&T5G8p9d`-2@pAfybf=i8_;fA1KOqW4Je|lve6w;>Xfz0 zwL$GIeW=vpLnq)v$PT9}>et$QC`^NjP5$yncOqni8qP=jv`su;Fl_Xw=bzD_mO;7D zE)d&-gbhAnaRCJU@LSoScE^0U)`v1u$ZQ~nZcvNfBBHP)r7RT@E^t+q84(JFX;9OI zHzKG(tw;4P4Qe0B)+RGs!*8vt?Ueww(toFUAoHP`7sG9kfjg-UYU|Z*mfT-Ny%%t2 zPEauQN`NIdut81x#;i9TFCU1n0iDGbOdGdtBjP<@I3mK5Zzh`&0W#l6UXIDQyYM05 z33G#*Aye3V*`W5qU7vh>1IC%{@J(B2%2u}Nb zXhsAbVfF_0&=O?u-at)Ve3nC~pm6^8@KJaz~yp3zsL6uhH z4K@fjmgu3SzDSw+^zr1{%Z_~-JeF|ZPul3cfnP(p(5Y{`96sJ*89w$p0&=;j>P)wQ zLB;brxoy^Y#Us#?#TKx43|dceo5WklRS`k%(Z|e)02#@EU5hvN){ocHMN8h(j?F&( zo%tLQA%-=@*O_v7nR(^1QIUq?)=m+&68D#^er#bC`>L`B)Wn~R%-w0QnuHX&k%<0f zQ6d#xEEcQcN>VZ68{Nhq&5CCakfwyD4SNQk zkOwL@jvBmc@M>*d4^2{IoBaWf8w5)*cg6L{$(RG=9%TMDAAi1yBk^?n+UOj-npNHznqXw@H?E8hh^RqjBz7hyh&>Rmd010`FQpFJZAif65Sy~A5y6zD z1yl5YBbaiaT&1xWIXKBRW26CX6mH4~U_IY4uG++&IY*5iT(9 zRWoAvVCp5j(LurVEvk13roob}^%l0ygRSep*1NBcR;v$UD@-uSQ3drr?`p~CU!mTs zEW0WCTo*_k*^witjyZv2>FD7j;V|=@ro{=3v z&l#=(^__0e(*nT+y~6Ez%Elv&+w+tK$wEiM+RXSo(@p8&iM1X`D0ryr%z~<@5h7qv*O>OIRWV&$TZ!%b8 zPjMm PH_u1DLe^5pnQi<(yueRy literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test new file mode 100644 index 0000000000..6e09ef7ded --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test @@ -0,0 +1,14 @@ +#@TEST-EXEC: bro -b -C -r $TRACES/smb/raw_ntlm_in_smb.pcap %INPUT +#@TEST-EXEC: btest-diff .stdout + +@load base/protocols/ntlm +@load policy/protocols/smb + +# Just verify that the session key is grabbed correctly from NTLM +# carried raw over SMB. + +event ntlm_authenticate(c: connection, request: NTLM::Authenticate) + { + if ( request?$session_key ) + print request$session_key; + } \ No newline at end of file From 0dc7ef7749a1873b580219e013cd7c735fca70ef Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 26 Oct 2016 14:29:38 -0700 Subject: [PATCH 063/288] Update submodules [nomail] --- aux/btest | 2 +- cmake | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/btest b/aux/btest index 625dbecfd6..17d1c15476 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 625dbecfd63022d79a144b9651085e68cdf99ce4 +Subproject commit 17d1c1547678bfd54ef1202db5415bc85c7ae794 diff --git a/cmake b/cmake index 39510b5fb2..71932e91ab 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 39510b5fb2351d7aac85da0d335a128402db3bbc +Subproject commit 71932e91ab329158950d41d630f96509ffe7a217 From 0d37c0df7b8b6abac63dbf44e03c5deafb72edc6 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 27 Oct 2016 08:59:05 -0700 Subject: [PATCH 064/288] Fix for Sphinx >= 1.4 compability. --- CHANGES | 4 ++++ VERSION | 2 +- doc/ext/bro.py | 22 ++++++++++++++++------ 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 0641958fa3..96a6152d05 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-beta-114 | 2016-10-27 09:00:24 -0700 + + * Fix for Sphinx >= 1.4 compability. (Robin Sommer) + 2.5-beta-113 | 2016-10-27 07:44:25 -0700 * XMPP: Fix detection of StartTLS when using namespaces. (Johanna diff --git a/VERSION b/VERSION index 73304c9c72..7375177fa9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-beta-113 +2.5-beta-114 diff --git a/doc/ext/bro.py b/doc/ext/bro.py index 1df4a518c2..c78615813f 100644 --- a/doc/ext/bro.py +++ b/doc/ext/bro.py @@ -14,6 +14,7 @@ from sphinx.locale import l_, _ from sphinx.directives import ObjectDescription from sphinx.roles import XRefRole from sphinx.util.nodes import make_refnode +from sphinx import version_info import string from docutils import nodes @@ -32,6 +33,14 @@ class SeeDirective(Directive): n.refs = string.split(string.join(self.content)) return [n] +# Wrapper for creating a tuple for index nodes, staying backwards +# compatible to Sphinx < 1.4: +def make_index_tuple(indextype, indexentry, targetname, targetname2): + if version_info >= (1, 4, 0, '', 0): + return (indextype, indexentry, targetname, targetname2, None) + else: + return (indextype, indexentry, targetname, targetname2) + def process_see_nodes(app, doctree, fromdocname): for node in doctree.traverse(see): content = [] @@ -95,8 +104,9 @@ class BroGeneric(ObjectDescription): indextext = self.get_index_text(self.objtype, name) if indextext: - self.indexnode['entries'].append(('single', indextext, - targetname, targetname)) + self.indexnode['entries'].append(make_index_tuple('single', + indextext, targetname, + targetname)) def get_index_text(self, objectname, name): return _('%s (%s)') % (name, self.objtype) @@ -120,9 +130,9 @@ class BroNamespace(BroGeneric): self.update_type_map(name) indextext = self.get_index_text(self.objtype, name) - self.indexnode['entries'].append(('single', indextext, + self.indexnode['entries'].append(make_index_tuple('single', indextext, targetname, targetname)) - self.indexnode['entries'].append(('single', + self.indexnode['entries'].append(make_index_tuple('single', "namespaces; %s" % (sig), targetname, targetname)) @@ -148,7 +158,7 @@ class BroEnum(BroGeneric): self.update_type_map(name) indextext = self.get_index_text(self.objtype, name) - #self.indexnode['entries'].append(('single', indextext, + #self.indexnode['entries'].append(make_index_tuple('single', indextext, # targetname, targetname)) m = sig.split() @@ -162,7 +172,7 @@ class BroEnum(BroGeneric): self.env.domaindata['bro']['notices'] = [] self.env.domaindata['bro']['notices'].append( (m[0], self.env.docname, targetname)) - self.indexnode['entries'].append(('single', + self.indexnode['entries'].append(make_index_tuple('single', "%s (enum values); %s" % (m[1], m[0]), targetname, targetname)) From af1d7d1f21bd07bf01fd4df6b894e5defb3a2f2c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Oct 2016 09:14:53 -0700 Subject: [PATCH 065/288] correct elasticsearch link in plugins --- doc/components/bro-plugins/elasticsearch/{README => README.rst} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename doc/components/bro-plugins/elasticsearch/{README => README.rst} (100%) diff --git a/doc/components/bro-plugins/elasticsearch/README b/doc/components/bro-plugins/elasticsearch/README.rst similarity index 100% rename from doc/components/bro-plugins/elasticsearch/README rename to doc/components/bro-plugins/elasticsearch/README.rst From 8d40f99831182d230f12f2c7a6da90a2860dc665 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Oct 2016 10:40:40 -0700 Subject: [PATCH 066/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 741f6aefce..1a121cbb53 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 741f6aefce5758d7a62ac5be05f4c750afb5e463 +Subproject commit 1a121cbb53b1eca52d535aa32ef4bf78efa39362 From 99a898b6ae3c7cfe9ec0681eab106d0c5aff0d50 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 27 Oct 2016 16:34:33 -0500 Subject: [PATCH 067/288] Update install instructions Removed some outdated info, and improved the section for Mac OS X. --- doc/install/install.rst | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/doc/install/install.rst b/doc/install/install.rst index 4b1f408202..35a38da27b 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -31,7 +31,7 @@ before you begin: * BIND8 library * Libz * Bash (for BroControl) - * Python (for BroControl) + * Python 2.6 or greater (for BroControl) To build Bro from source, the following additional dependencies are required: @@ -69,9 +69,6 @@ To install the required dependencies, you can use: sudo pkg install bash cmake swig bison python py27-sqlite3 - Note that in older versions of FreeBSD, you might have to use the - "pkg_add -r" command instead of "pkg install". - For older versions of FreeBSD (especially FreeBSD 9.x), the system compiler is not new enough to compile Bro. For these systems, you will have to install a newer compiler using pkg; the ``clang34`` package should work. @@ -89,19 +86,23 @@ To install the required dependencies, you can use: * Mac OS X: - Compiling source code on Macs requires first installing Xcode_ (in older - versions of Xcode, you would then need to go through its - "Preferences..." -> "Downloads" menus to install the "Command Line Tools" - component). + Compiling source code on Macs requires first installing either Xcode_ + or the "Command Line Tools" (which is a much smaller download). To check + if either is installed, run the ``xcode-select -p`` command. If you see + an error message, then neither is installed and you can then run + ``xcode-select --install`` which will prompt you to either get Xcode (by + clicking "Get Xcode") or to install the command line tools (by + clicking "Install"). OS X comes with all required dependencies except for CMake_, SWIG_, - and OpenSSL. (OpenSSL used to be part of OS X versions 10.10 - and older, for which it does not need to be installed manually. It - was removed in OS X 10.11). Distributions of these dependencies can + and OpenSSL (OpenSSL headers were removed in OS X 10.11, therefore OpenSSL + must be installed manually for OS X versions 10.11 or newer). + Distributions of these dependencies can likely be obtained from your preferred Mac OS X package management system (e.g. Homebrew_, MacPorts_, or Fink_). Specifically for Homebrew, the ``cmake``, ``swig``, and ``openssl`` packages - provide the required dependencies. + provide the required dependencies. For MacPorts, the ``cmake``, ``swig``, + ``swig-python``, and ``openssl`` packages provide the required dependencies. Optional Dependencies From 65d7419be4303b3aa3e0767a1d5d8d7e770915a0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Oct 2016 14:45:03 -0700 Subject: [PATCH 068/288] Update submodules [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/aux/binpac b/aux/binpac index 097c1dde17..3f7b38c293 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 097c1dde17c218973a9adad9ba39f8cfd639d9c1 +Subproject commit 3f7b38c293e94143a757590918aac82281e46500 diff --git a/aux/bro-aux b/aux/bro-aux index 0191254451..a9c2717232 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 0191254451d1aa9a5c985d493ad51f4f1c5f7d85 +Subproject commit a9c2717232764808ca6029f8e727812b58424839 diff --git a/aux/broccoli b/aux/broccoli index 0743c4f516..3f036d36d1 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 0743c4f51600cc90aceccaee72ca879b271712d2 +Subproject commit 3f036d36d1e4a42dd672f8a03caf81e38f318f2d diff --git a/aux/broctl b/aux/broctl index 1a121cbb53..e174efad41 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 1a121cbb53b1eca52d535aa32ef4bf78efa39362 +Subproject commit e174efad41becb2e56f992391a855b62abadfef7 diff --git a/aux/broker b/aux/broker index 497924cdcc..35d292cbae 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 497924cdcc23d26221bc39b24bcddcb62ec13ca7 +Subproject commit 35d292cbaef2fafdaede5975d097c27d810382ab From 0fc0a89e4a141eec8825c32b2ed12545115335d6 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Sat, 29 Oct 2016 15:16:42 -0500 Subject: [PATCH 069/288] Python 3 compatibility fixes for doc/ext/bro.py --- doc/ext/bro.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/ext/bro.py b/doc/ext/bro.py index c78615813f..6a4c50e8ce 100644 --- a/doc/ext/bro.py +++ b/doc/ext/bro.py @@ -15,7 +15,6 @@ from sphinx.directives import ObjectDescription from sphinx.roles import XRefRole from sphinx.util.nodes import make_refnode from sphinx import version_info -import string from docutils import nodes from docutils.parsers.rst import Directive @@ -30,7 +29,7 @@ class SeeDirective(Directive): def run(self): n = see('') - n.refs = string.split(string.join(self.content)) + n.refs = " ".join(self.content).split() return [n] # Wrapper for creating a tuple for index nodes, staying backwards @@ -214,7 +213,7 @@ class BroNotices(Index): entries = content.setdefault(modname, []) entries.append([n[0], 0, n[1], n[2], '', '', '']) - content = sorted(content.iteritems()) + content = sorted(content.items()) return content, False @@ -290,5 +289,5 @@ class BroDomain(Domain): 'unknown target for ":bro:%s:`%s`"' % (typ, target)) def get_objects(self): - for (typ, name), docname in self.data['objects'].iteritems(): + for (typ, name), docname in self.data['objects'].items(): yield name, name, typ, docname, typ + '-' + name, 1 From 43a127fb899cb949473b09909b192aad05720f7b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 31 Oct 2016 10:35:46 -0700 Subject: [PATCH 070/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index e174efad41..895fae348a 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit e174efad41becb2e56f992391a855b62abadfef7 +Subproject commit 895fae348aa03032d198350d03bfc09eb46ed4b4 From 4f3fe047f4638adf09797ccb5d6737437fe27ff7 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 31 Oct 2016 13:35:47 -0400 Subject: [PATCH 071/288] SMB fixes and cleanup. SMB error handling improved. The analyzer isn't destroyed when a problem is encoutered anymore. The flowbuffer in the parser is now flushed and the analyzer is set to resync against an SMB command. This was needed because there is some state about open files that is kept within the parser itself which was being destroyed and that was causing analysis after content gaps or parse errors to be faulty. The new mechanism doesn't detroy the parser so parsing after gaps is improved. DCE_RPC handling in SMB is improved in the edge case where a drive mapping isn't seen. There is a new const named SMB::pipe_filenames which is used as a heuristic for identifying "files" opened on named pipe shares. If the share mapping type isn't known and a filename in this set is found, the share type will change to "PIPE" by generating an event named "smb_pipe_connect_heuristic". Reads and writes to that file will be sent to the DCE_RPC analyzer instead of to the files framework. The concept of "unknown" share types has been removed due to the new heuristic detection of share types. Some general clean up of how the SMB cmd log is written and when. --- scripts/base/init-bare.bro | 7 +++++ scripts/base/protocols/dce-rpc/main.bro | 6 ++-- scripts/base/protocols/smb/consts.bro | 22 +++++++------- scripts/policy/protocols/smb/main.bro | 14 ++++----- scripts/policy/protocols/smb/smb1-main.bro | 29 ++----------------- scripts/policy/protocols/smb/smb2-main.bro | 21 +++++++------- src/analyzer/protocol/smb/CMakeLists.txt | 3 ++ src/analyzer/protocol/smb/SMB.cc | 25 +++++++++------- src/analyzer/protocol/smb/SMB.h | 7 ++--- src/analyzer/protocol/smb/consts.bif | 1 + src/analyzer/protocol/smb/events.bif | 10 +++++++ src/analyzer/protocol/smb/smb-pipe.pac | 8 ++--- src/analyzer/protocol/smb/smb.pac | 2 ++ src/analyzer/protocol/smb/smb1-com-close.pac | 10 ++----- .../protocol/smb/smb1-com-nt-create-andx.pac | 24 +++++++++------ .../protocol/smb/smb1-com-read-andx.pac | 5 ++-- .../protocol/smb/smb1-com-write-andx.pac | 5 ++-- src/analyzer/protocol/smb/smb1-protocol.pac | 3 +- src/analyzer/protocol/smb/smb2-com-close.pac | 3 ++ src/analyzer/protocol/smb/smb2-com-create.pac | 23 +++++++++------ src/analyzer/protocol/smb/smb2-com-read.pac | 5 ++-- src/analyzer/protocol/smb/smb2-com-write.pac | 5 ++-- src/analyzer/protocol/smb/smb2-protocol.pac | 7 +++-- .../scripts.base.protocols.smb.smb2/files.log | 6 ++-- 24 files changed, 126 insertions(+), 125 deletions(-) create mode 100644 src/analyzer/protocol/smb/consts.bif create mode 100644 src/analyzer/protocol/smb/events.bif diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index a898ceb88c..b8ebb9677e 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2535,6 +2535,13 @@ export { ## The time when the file was last modified. changed : time &log; } &log; + + ## A set of file names used as named pipes over SMB. This + ## only comes into play as a heuristic to identify named + ## pipes when the drive mapping wasn't seen by Bro. + ## + ## .. bro:see::smb_pipe_connect_heuristic + const SMB::pipe_filenames: set[string] &redef; } module SMB1; diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index 5ec5ded2d8..c0e36624d2 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -160,7 +160,8 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) { # If there is not an endpoint, there isn't much reason to log. # This can happen if the request isn't seen. - if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations) + if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation && + c$dce_rpc$endpoint !in ignored_operations) || (c$dce_rpc?$endpoint && c$dce_rpc?$operation && c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && @@ -195,7 +196,8 @@ event connection_state_remove(c: connection) } } - if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations) + if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation && + c$dce_rpc$endpoint !in ignored_operations) || (c$dce_rpc?$endpoint && c$dce_rpc?$operation && c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.bro index 86c470024c..b74b75fb37 100644 --- a/scripts/base/protocols/smb/consts.bro +++ b/scripts/base/protocols/smb/consts.bro @@ -10,20 +10,18 @@ export { [0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."], } &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; }; - ## These are files names that are used for special - ## cases by the file system and would not be - ## considered "normal" files. - const pipe_names: set[string] = { - "\\netdfs", - "\\spoolss", - "\\NETLOGON", - "\\winreg", - "\\lsarpc", - "\\samr", - "\\srvsvc", + ## Heuristic detection of named pipes when the pipe + ## mapping isn't seen. This variable is defined in + ## init-bare.bro. + redef SMB::pipe_filenames = { + "spoolss", + "winreg", + "samr", "srvsvc", + "netdfs", + "lsarpc", + "wkssvc", "MsFteWds", - "\\wkssvc", }; ## The UUIDs used by the various RPC endpoints diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro index 0399e92a9a..61a2548f6c 100644 --- a/scripts/policy/protocols/smb/main.bro +++ b/scripts/policy/protocols/smb/main.bro @@ -28,11 +28,6 @@ export { PRINT_WRITE, PRINT_OPEN, PRINT_CLOSE, - - UNKNOWN_READ, - UNKNOWN_WRITE, - UNKNOWN_OPEN, - UNKNOWN_CLOSE, }; ## The file actions which are logged. @@ -43,8 +38,6 @@ export { PRINT_OPEN, PRINT_CLOSE, - - UNKNOWN_OPEN, } &redef; ## The server response statuses which are *not* logged. @@ -225,7 +218,6 @@ function write_file_log(state: State) { local f = state$current_file; if ( f?$name && - f$name !in pipe_names && f$action in logged_file_actions ) { # Everything in this if statement is to avoid overlogging @@ -252,6 +244,12 @@ function write_file_log(state: State) } } +event smb_pipe_connect_heuristic(c: connection) &priority=5 + { + c$smb_state$current_tree$path = ""; + c$smb_state$current_tree$share_type = "PIPE"; + } + event file_state_remove(f: fa_file) &priority=-5 { if ( f$source != "SMB" ) diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro index c1b8ead509..3e7f43cf45 100644 --- a/scripts/policy/protocols/smb/smb1-main.bro +++ b/scripts/policy/protocols/smb/smb1-main.bro @@ -108,11 +108,6 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1:: event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse) &priority=-5 { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } } event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5 @@ -141,12 +136,6 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5 { Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree); - - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } } event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5 @@ -192,17 +181,7 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path ) c$smb_state$current_file$path = c$smb_state$current_tree$path; - # We don't even try to log reads and writes to the files log. - #write_file_log(c$smb_state); - } - -event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5 - { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } + SMB::write_file_log(c$smb_state); } event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=5 @@ -281,11 +260,7 @@ event smb1_session_setup_andx_request(c: connection, hdr: SMB1::Header, request: event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5 { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } + # No behavior yet. } event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count) diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 31b3abf0db..041813b99e 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -101,13 +101,9 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2:: event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse) &priority=5 { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } + # No behavior yet. } - + event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5 { c$smb_state$current_tree$path = path; @@ -142,7 +138,6 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior c$smb_state$current_file$action = SMB::PRINT_OPEN; break; default: - #c$smb_state$current_file$action = SMB::UNKNOWN_OPEN; c$smb_state$current_file$action = SMB::FILE_OPEN; break; } @@ -150,6 +145,8 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5 { + SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); + c$smb_state$current_file$fid = file_id$persistent+file_id$volatile; c$smb_state$current_file$size = file_size; @@ -188,13 +185,14 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o c$smb_state$current_file$action = SMB::PRINT_READ; break; default: - c$smb_state$current_file$action = SMB::FILE_OPEN; + c$smb_state$current_file$action = SMB::FILE_READ; break; } } event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5 { + SMB::write_file_log(c$smb_state); } event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=5 @@ -213,7 +211,6 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, c$smb_state$current_file$action = SMB::PRINT_WRITE; break; default: - #c$smb_state$current_file$action = SMB::UNKNOWN_WRITE; c$smb_state$current_file$action = SMB::FILE_WRITE; break; } @@ -221,6 +218,7 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5 { + SMB::write_file_log(c$smb_state); } event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5 @@ -254,7 +252,9 @@ event smb2_file_delete(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, de if ( ! delete_pending ) { - print "huh..."; + # This is weird beause it would mean that someone didn't + # set the delete bit in a delete request. + return; } switch ( c$smb_state$current_tree$share_type ) @@ -289,7 +289,6 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) c$smb_state$current_file$action = SMB::PRINT_CLOSE; break; default: - #c$smb_state$current_file$action = SMB::UNKNOWN_CLOSE; c$smb_state$current_file$action = SMB::FILE_CLOSE; break; } diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 2ea745d51d..844eca4cd4 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -37,6 +37,9 @@ bro_plugin_bif( smb2_com_write.bif smb2_events.bif + events.bif + consts.bif + types.bif) bro_plugin_pac( smb.pac diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index da202f5269..d886421906 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -10,7 +10,8 @@ SMB_Analyzer::SMB_Analyzer(Connection *conn) : tcp::TCP_ApplicationAnalyzer("SMB", conn) { chunks=0; - interp=0; + interp = new binpac::SMB::SMB_Conn(this); + need_sync=true; } SMB_Analyzer::~SMB_Analyzer() @@ -54,24 +55,28 @@ bool SMB_Analyzer::HasSMBHeader(int len, const u_char* data) strncmp((const char*) data+4, "\xfeSMB", 4) == 0); } +void SMB_Analyzer::NeedResync() + { + interp->upflow()->flow_buffer()->DiscardData(); + interp->downflow()->flow_buffer()->DiscardData(); + need_sync=true; + } + void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); - // Either instantiate an interpreter or bail. - if ( ! interp ) - { - if ( HasSMBHeader(len, data) ) - interp = new binpac::SMB::SMB_Conn(this); - else - return; - } + // It we need to resync and we don't have an SMB header, bail! + if ( need_sync && ! HasSMBHeader(len, data) ) + return; + else + need_sync=false; try { - // If we get here, it means we have an interpreter. + // If we get here, it means we have an SMB header in the message. interp->NewData(orig, data, data + len); // Let's assume that if there are no binpac exceptions after diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h index 2edeecf506..ea9ec2e6a5 100644 --- a/src/analyzer/protocol/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -17,10 +17,7 @@ public: void EndpointEOF(bool is_orig) override; bool HasSMBHeader(int len, const u_char* data); - void NeedResync() { - delete interp; - interp = 0; - } + void NeedResync(); static analyzer::Analyzer* Instantiate(Connection* conn) { return new SMB_Analyzer(conn); } @@ -31,6 +28,8 @@ protected: // Count the number of chunks received by the analyzer // but only used to count the first few. uint8 chunks; + + bool need_sync; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/smb/consts.bif b/src/analyzer/protocol/smb/consts.bif new file mode 100644 index 0000000000..321875b43d --- /dev/null +++ b/src/analyzer/protocol/smb/consts.bif @@ -0,0 +1 @@ +const SMB::pipe_filenames: string_set; \ No newline at end of file diff --git a/src/analyzer/protocol/smb/events.bif b/src/analyzer/protocol/smb/events.bif new file mode 100644 index 0000000000..0ecf6e91c7 --- /dev/null +++ b/src/analyzer/protocol/smb/events.bif @@ -0,0 +1,10 @@ +## Generated for :abbr:`SMB (Server Message Block)` connections when a +## named pipe has been detected heuristically. The case when this comes +## up is when the drive mapping isn't seen so the analyzer is not able +## to determine whether to send the data to the files framework or to +## the DCE_RPC analyzer. This heuristic can be tuned by adding or +## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames` +## const. +## +## c: The connection. +event smb_pipe_connect_heuristic%(c: connection%); diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index 5c32f1f17c..bcc910e19a 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -5,7 +5,7 @@ refine connection SMB_Conn += { %member{ map tree_is_pipe_map; - map fid_to_analyzer_map;; + map fid_to_analyzer_map; %} %cleanup{ @@ -20,13 +20,9 @@ refine connection SMB_Conn += { } %} - function get_tree_is_pipe(tree_id: uint16): bool %{ - if ( tree_is_pipe_map.count(tree_id) > 0 ) - return tree_is_pipe_map.at(tree_id); - else - return false; + return ( tree_is_pipe_map.count(tree_id) > 0 ); %} function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index e0dffd2484..cdb0f04236 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -9,6 +9,8 @@ #include "smb2_events.bif.h" #include "types.bif.h" +#include "events.bif.h" +#include "consts.bif.h" #include "smb1_com_check_directory.bif.h" #include "smb1_com_close.bif.h" diff --git a/src/analyzer/protocol/smb/smb1-com-close.pac b/src/analyzer/protocol/smb/smb1-com-close.pac index 4aa6c5c3a0..092f8f4020 100644 --- a/src/analyzer/protocol/smb/smb1-com-close.pac +++ b/src/analyzer/protocol/smb/smb1-com-close.pac @@ -8,14 +8,8 @@ refine connection SMB_Conn += { BuildHeaderVal(h), ${val.file_id}); - // This is commented out for the moment because it caused problems - // with extraction because the file kept having the same name due - // to repeatedly having the same file uid. This results in files - // effectively falling of SMB solely by expiration instead of - // manually being closed. - - //file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), - // bro_analyzer()->Conn(), h->is_orig()); + file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index 36a583696e..d71086a44b 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -1,13 +1,27 @@ refine connection SMB_Conn += { function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool %{ + StringVal *filename = smb_string2stringval(${val.filename}); + if ( ! ${header.is_pipe} && + BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) + { + set_tree_is_pipe(${header.tid}, true); + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); + } + if ( smb1_nt_create_andx_request ) { BifEvent::generate_smb1_nt_create_andx_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), - smb_string2stringval(${val.filename})); + filename); } + else + { + delete filename; + } + return true; %} @@ -26,14 +40,6 @@ refine connection SMB_Conn += { ${val.last_change_time})); } - if ( ${val.end_of_file} > 0 ) - { - //file_mgr->SetSize(${val.end_of_file}, - // bro_analyzer()->GetAnalyzerTag(), - // bro_analyzer()->Conn(), - // header->is_orig()); - } - return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac index 89e367206d..712ad8948b 100644 --- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac @@ -28,7 +28,7 @@ refine connection SMB_Conn += { BuildHeaderVal(h), ${val.data_len}); - if ( ! ${val.is_pipe} && ${val.data_len} > 0 ) + if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) { uint64 offset = read_offsets[${h.mid}]; read_offsets.erase(${h.mid}); @@ -93,8 +93,7 @@ type SMB1_read_andx_response(header: SMB_Header, offset: uint16) = record { andx_command : SMB_andx_command(header, 0, offset+offsetof(andx_command), andx.command); } &let { - is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, false) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, false) &if(header.is_pipe); padding_len : uint8 = (header.unicode == 1) ? 1 : 0; data_len : uint32 = (data_len_high << 16) + data_len_low; diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac index 79d36c52b5..8b4eed7056 100644 --- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac @@ -10,7 +10,7 @@ refine connection SMB_Conn += { ${val.write_offset}, ${val.data_len}); - if ( ! ${val.is_pipe} && ${val.data}.length() > 0 ) + if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), ${val.write_offset}, @@ -58,8 +58,7 @@ type SMB1_write_andx_request(header: SMB_Header, offset: uint16) = record { andx_command : SMB_andx_command(header, 1, offset+offsetof(andx_command), andx.command); } &let { - is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, true) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, true) &if(header.is_pipe); data_len : uint32 = (data_len_high << 16) + data_len_low; offset_high : uint32 = (word_count == 0x0E) ? offset_high_tmp : 0; diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index b7ad6af140..985e67c068 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -298,7 +298,8 @@ type SMB_Header(is_orig: bool) = record { err_status_type = (flags2 >> 14) & 1; unicode = (flags2 >> 15) & 1; pid = (pid_high * 0x10000) + pid_low; - proc : bool = $context.connection.proc_smb_message(this, is_orig); + is_pipe: bool = $context.connection.get_tree_is_pipe(tid); + proc : bool = $context.connection.proc_smb_message(this, is_orig); } &byteorder=littleendian; # TODO: compute this as diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index bb3b1bab49..0c90897d84 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -10,6 +10,9 @@ refine connection SMB_Conn += { BuildSMB2GUID(${val.file_id})); } + file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); + return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 0072e75adf..5e35d8e975 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -2,12 +2,25 @@ refine connection SMB_Conn += { function proc_smb2_create_request(h: SMB2_Header, val: SMB2_create_request): bool %{ + StringVal *filename = smb2_string2stringval(${val.filename}); + if ( ! ${h.is_pipe} && + BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) + { + set_tree_is_pipe(${h.tree_id}, true); + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); + } + if ( smb2_create_request ) { BifEvent::generate_smb2_create_request(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), - smb2_string2stringval(${val.filename})); + filename); + } + else + { + delete filename; } return true; @@ -29,14 +42,6 @@ refine connection SMB_Conn += { smb2_file_attrs_to_bro(${val.file_attrs})); } - if ( ${val.eof} > 0 ) - { - //file_mgr->SetSize(${val.eof}, - // bro_analyzer()->GetAnalyzerTag(), - // bro_analyzer()->Conn(), - // h->is_orig()); - } - return true; %} }; diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index 1fa409a5f0..cf5d2ae065 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -42,7 +42,7 @@ refine connection SMB_Conn += { uint64 offset = smb2_read_offsets[${h.message_id}]; smb2_read_offsets.erase(${h.message_id}); - if ( ! ${val.is_pipe} && ${val.data_len} > 0 ) + if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) { file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, bro_analyzer()->GetAnalyzerTag(), @@ -83,9 +83,8 @@ type SMB2_read_response(header: SMB2_Header) = record { pad : padding to data_offset - header.head_length; data : bytestring &length=data_len; } &let { - is_pipe : bool = $context.connection.get_tree_is_pipe(header.tree_id); fid : uint64 = $context.connection.get_file_id(header.message_id); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, fid, false) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, fid, false) &if(header.is_pipe); proc: bool = $context.connection.proc_smb2_read_response(header, this); }; diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index f463afc767..177a3a84bd 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -12,7 +12,7 @@ refine connection SMB_Conn += { ${val.data_len}); } - if ( ! ${val.is_pipe} && ${val.data}.length() > 0 ) + if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset}, bro_analyzer()->GetAnalyzerTag(), @@ -44,8 +44,7 @@ type SMB2_write_request(header: SMB2_Header) = record { pad : padding to data_offset - header.head_length; data : bytestring &length=data_len; } &let { - is_pipe: bool = $context.connection.get_tree_is_pipe(header.tree_id); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(header.is_pipe); proc : bool = $context.connection.proc_smb2_write_request(header, this); }; diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index 523ab3b890..dd31559126 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -35,10 +35,10 @@ type SMB2_PDU(is_orig: bool) = record { # Status 0 indicates success. In the case of a # request this should just happen to work out due to # how the fields are set. - 0 -> msg : SMB2_Message(header, is_orig); - STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig); + 0 -> msg : SMB2_Message(header, is_orig); + STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig); STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB2_Message(header, is_orig); - default -> err : SMB2_error_response(header); + default -> err : SMB2_error_response(header); }; }; @@ -199,6 +199,7 @@ type SMB2_Header(is_orig: bool) = record { related = (flags >> 26) & 1; msigned = (flags >> 27) & 1; dfs = (flags) & 1; + is_pipe: bool = $context.connection.get_tree_is_pipe(tree_id); proc : bool = $context.connection.proc_smb2_message(this, is_orig); } &byteorder=littleendian; diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log index 66e632e0cb..9dc925e4dc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2016-08-16-23-02-30 +#open 2016-10-27-17-16-27 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 T - - - - - -#close 2016-08-16-23-02-30 +1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - +#close 2016-10-27-17-16-27 From dc74fab2d58beaf1e401274043f9320eb9fb65ce Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 31 Oct 2016 20:43:50 -0500 Subject: [PATCH 072/288] Add a new site policy script local-logger.bro Addresses BIT-1700 --- scripts/CMakeLists.txt | 4 ++++ scripts/site/local-logger.bro | 1 + 2 files changed, 5 insertions(+) create mode 100644 scripts/site/local-logger.bro diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 6d6faf7b4a..fb20ba6fdb 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -18,6 +18,10 @@ InstallPackageConfigFile( ${CMAKE_CURRENT_SOURCE_DIR}/site/local-manager.bro ${BRO_SCRIPT_INSTALL_PATH}/site local-manager.bro) +InstallPackageConfigFile( + ${CMAKE_CURRENT_SOURCE_DIR}/site/local-logger.bro + ${BRO_SCRIPT_INSTALL_PATH}/site + local-logger.bro) InstallPackageConfigFile( ${CMAKE_CURRENT_SOURCE_DIR}/site/local-proxy.bro ${BRO_SCRIPT_INSTALL_PATH}/site diff --git a/scripts/site/local-logger.bro b/scripts/site/local-logger.bro new file mode 100644 index 0000000000..0642e86ce3 --- /dev/null +++ b/scripts/site/local-logger.bro @@ -0,0 +1 @@ +##! Local site policy loaded only by the logger if Bro is running as a cluster. From 19a4376a9afde816af899a9f0d6854a6d7365c82 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 1 Nov 2016 03:13:04 -0400 Subject: [PATCH 073/288] Fix a small issue where DCE_RPC commands were improperly being logged. --- scripts/base/protocols/dce-rpc/main.bro | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index c0e36624d2..b6de70cb78 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -160,12 +160,12 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) { # If there is not an endpoint, there isn't much reason to log. # This can happen if the request isn't seen. - if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation && - c$dce_rpc$endpoint !in ignored_operations) - || - (c$dce_rpc?$endpoint && c$dce_rpc?$operation && - c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && - "*" !in ignored_operations[c$dce_rpc$endpoint]) ) + if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation) && + ( c$dce_rpc$endpoint !in ignored_operations + || + ( c$dce_rpc?$endpoint && c$dce_rpc?$operation && + c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && + "*" !in ignored_operations[c$dce_rpc$endpoint]) ) ) { Log::write(LOG, c$dce_rpc); } @@ -196,12 +196,12 @@ event connection_state_remove(c: connection) } } - if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation && - c$dce_rpc$endpoint !in ignored_operations) - || - (c$dce_rpc?$endpoint && c$dce_rpc?$operation && - c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && - "*" !in ignored_operations[c$dce_rpc$endpoint]) ) + if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation) && + ( c$dce_rpc$endpoint !in ignored_operations + || + ( c$dce_rpc?$endpoint && c$dce_rpc?$operation && + c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && + "*" !in ignored_operations[c$dce_rpc$endpoint]) ) ) { Log::write(LOG, c$dce_rpc); } From bb5c2c94ec8adb60e8157cbd73cae4bc33f0f6b7 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 1 Nov 2016 03:14:15 -0400 Subject: [PATCH 074/288] Fix SMB tree connect handling. It was misidentifying share mappings as FILE shares sometimes when they were actually PIPE shares. --- src/analyzer/protocol/smb/smb-pipe.pac | 4 ++-- src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac | 2 +- src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac | 6 +++++- src/analyzer/protocol/smb/smb2-com-create.pac | 2 +- src/analyzer/protocol/smb/smb2-com-tree-connect.pac | 3 ++- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index bcc910e19a..1183618b8a 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -25,9 +25,9 @@ refine connection SMB_Conn += { return ( tree_is_pipe_map.count(tree_id) > 0 ); %} - function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool + function set_tree_is_pipe(tree_id: uint16): bool %{ - tree_is_pipe_map[tree_id] = is_pipe; + tree_is_pipe_map[tree_id] = true; return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index d71086a44b..0cdae1cefb 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -5,7 +5,7 @@ refine connection SMB_Conn += { if ( ! ${header.is_pipe} && BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { - set_tree_is_pipe(${header.tid}, true); + set_tree_is_pipe(${header.tid}); BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), bro_analyzer()->Conn()); } diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac index 756a28bc96..0b8802b2fb 100644 --- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac @@ -13,7 +13,11 @@ refine connection SMB_Conn += { function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool %{ - set_tree_is_pipe(${header.tid}, strncmp((const char*) smb_string2stringval(${val.service})->Bytes(), "IPC", 3) == 0); + if ( strncmp((const char*) smb_string2stringval(${val.service})->Bytes(), + "IPC", 3) == 0 ) + { + set_tree_is_pipe(${header.tid}); + } if ( smb1_tree_connect_andx_response ) { diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 5e35d8e975..174c201f27 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -6,7 +6,7 @@ refine connection SMB_Conn += { if ( ! ${h.is_pipe} && BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { - set_tree_is_pipe(${h.tree_id}, true); + set_tree_is_pipe(${h.tree_id}); BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), bro_analyzer()->Conn()); } diff --git a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac index 1c8b4d5978..fe59ecb74d 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac @@ -13,7 +13,8 @@ refine connection SMB_Conn += { function proc_smb2_tree_connect_response(header: SMB2_Header, val: SMB2_tree_connect_response): bool %{ - set_tree_is_pipe(${header.tree_id}, ${val.share_type} == SMB2_SHARE_TYPE_PIPE); + if ( ${val.share_type} == SMB2_SHARE_TYPE_PIPE ) + set_tree_is_pipe(${header.tree_id}); if ( smb2_tree_connect_response ) { From 681efc2b8debb84e338b4298919f0f58578c43c7 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 31 Oct 2016 14:34:44 -0700 Subject: [PATCH 075/288] Version parsing scripts now supports several beta versions. Versions such as 2.5-beta2 now don't throw an error. --- scripts/base/misc/version.bro | 2 +- testing/btest/Baseline/scripts.base.misc.version/.stdout | 1 + testing/btest/scripts/base/misc/version.bro | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.bro index 4fe37d200c..259b7b1127 100644 --- a/scripts/base/misc/version.bro +++ b/scripts/base/misc/version.bro @@ -49,7 +49,7 @@ export { function parse(version_string: string): VersionDescription { - if ( /[[:digit:]]\.[[:digit:]][[:digit:]]?(\.[[:digit:]][[:digit:]]?)?(\-beta)?(-[[:digit:]]+)?(\-debug)?/ != version_string ) + if ( /[[:digit:]]\.[[:digit:]][[:digit:]]?(\.[[:digit:]][[:digit:]]?)?(\-beta[[:digit:]]?)?(-[[:digit:]]+)?(\-debug)?/ != version_string ) { Reporter::error(fmt("Version string %s cannot be parsed", version_string)); return VersionDescription($version_number=0, $major=0, $minor=0, $patch=0, $commit=0, $beta=F, $debug=F, $version_string=version_string); diff --git a/testing/btest/Baseline/scripts.base.misc.version/.stdout b/testing/btest/Baseline/scripts.base.misc.version/.stdout index 5b207674f3..359bde8473 100644 --- a/testing/btest/Baseline/scripts.base.misc.version/.stdout +++ b/testing/btest/Baseline/scripts.base.misc.version/.stdout @@ -5,6 +5,7 @@ [version_number=20500, major=2, minor=5, patch=0, commit=12, beta=T, debug=F, version_string=2.5-beta-12] [version_number=20500, major=2, minor=5, patch=0, commit=0, beta=F, debug=T, version_string=2.5-12-debug] [version_number=20502, major=2, minor=5, patch=2, commit=12, beta=T, debug=T, version_string=2.5.2-beta-12-debug] +[version_number=20502, major=2, minor=5, patch=2, commit=12, beta=T, debug=T, version_string=2.5.2-beta5-12-debug] [version_number=11220, major=1, minor=12, patch=20, commit=2562, beta=T, debug=T, version_string=1.12.20-beta-2562-debug] [version_number=0, major=0, minor=0, patch=0, commit=0, beta=F, debug=F, version_string=1] [version_number=0, major=0, minor=0, patch=0, commit=0, beta=F, debug=F, version_string=12.5] diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.bro index bb7879509d..cd19f0ee30 100644 --- a/testing/btest/scripts/base/misc/version.bro +++ b/testing/btest/scripts/base/misc/version.bro @@ -10,6 +10,7 @@ print Version::parse("2.5.1-debug"); print Version::parse("2.5-beta-12"); print Version::parse("2.5-12-debug"); print Version::parse("2.5.2-beta-12-debug"); +print Version::parse("2.5.2-beta5-12-debug"); print Version::parse("1.12.20-beta-2562-debug"); # bad versions From 5832b872c2f387f564833634df41ef614fd1298d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 1 Nov 2016 15:56:15 -0400 Subject: [PATCH 076/288] Removed some files that aren't being used. - I went ahead and finished implementing smb2 tree_disconnect. This made it possible to address an edge case when packet loss occurs. - Fixes BIT-1721 --- scripts/policy/protocols/smb/smb2-main.bro | 10 +++ src/analyzer/protocol/smb/CMakeLists.txt | 4 +- src/analyzer/protocol/smb/smb-pipe.pac | 6 ++ src/analyzer/protocol/smb/smb.pac | 4 +- .../protocol/smb/smb1-com-open-andx.pac | 85 ------------------- src/analyzer/protocol/smb/smb1-protocol.pac | 4 +- .../protocol/smb/smb1_com_open_andx.bif | 41 --------- src/analyzer/protocol/smb/smb2-com-lock.pac | 2 +- .../protocol/smb/smb2-com-tree-disconnect.pac | 36 ++++++++ src/analyzer/protocol/smb/smb2_com_ioctl.bif | 1 - src/analyzer/protocol/smb/smb2_com_lock.bif | 1 - .../protocol/smb/smb2_com_tree_disconnect.bif | 23 ++++- 12 files changed, 79 insertions(+), 138 deletions(-) delete mode 100644 src/analyzer/protocol/smb/smb1-com-open-andx.pac delete mode 100644 src/analyzer/protocol/smb/smb1_com_open_andx.bif delete mode 100644 src/analyzer/protocol/smb/smb2_com_ioctl.bif delete mode 100644 src/analyzer/protocol/smb/smb2_com_lock.bif diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 041813b99e..726851dee4 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -119,6 +119,16 @@ event smb2_tree_connect_response(c: connection, hdr: SMB2::Header, response: SMB Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree); } +event smb2_tree_disconnect_request(c: connection, hdr: SMB2::Header) &priority=5 + { + if ( hdr$tree_id in c$smb_state$tid_map ) + { + delete c$smb_state$tid_map[hdr$tree_id]; + delete c$smb_state$current_tree; + delete c$smb_state$current_cmd$referenced_tree; + } + } + event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=5 { if ( name == "") diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 844eca4cd4..bf44501b96 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -26,14 +26,12 @@ bro_plugin_bif( smb2_com_close.bif smb2_com_create.bif - #smb2_com_ioctl.bif - #smb2_com_lock.bif smb2_com_negotiate.bif smb2_com_read.bif smb2_com_session_setup.bif smb2_com_set_info.bif smb2_com_tree_connect.bif - #smb2_com_tree_disconnect.bif + smb2_com_tree_disconnect.bif smb2_com_write.bif smb2_events.bif diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index 1183618b8a..2407c63dd3 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -25,6 +25,12 @@ refine connection SMB_Conn += { return ( tree_is_pipe_map.count(tree_id) > 0 ); %} + function unset_tree_is_pipe(tree_id: uint16): bool + %{ + tree_is_pipe_map.erase(tree_id); + return true; + %} + function set_tree_is_pipe(tree_id: uint16): bool %{ tree_is_pipe_map[tree_id] = true; diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index cdb0f04236..156037f614 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -31,14 +31,12 @@ #include "smb2_com_close.bif.h" #include "smb2_com_create.bif.h" -//#include "smb2_com_ioctl.bif.h" -//#include "smb2_com_lock.bif.h" #include "smb2_com_negotiate.bif.h" #include "smb2_com_read.bif.h" #include "smb2_com_session_setup.bif.h" #include "smb2_com_set_info.bif.h" #include "smb2_com_tree_connect.bif.h" -//#include "smb2_com_tree_disconnect.bif.h" +#include "smb2_com_tree_disconnect.bif.h" #include "smb2_com_write.bif.h" %} diff --git a/src/analyzer/protocol/smb/smb1-com-open-andx.pac b/src/analyzer/protocol/smb/smb1-com-open-andx.pac deleted file mode 100644 index c7e7bea03a..0000000000 --- a/src/analyzer/protocol/smb/smb1-com-open-andx.pac +++ /dev/null @@ -1,85 +0,0 @@ -refine connection SMB_Conn += { - - function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool - %{ - if ( smb1_open_andx_request ) - BifEvent::generate_smb1_open_andx_request(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(h), - ${val.flags}, - ${val.access_mode}, - ${val.search_attrs}, - ${val.file_attrs}, - ${val.creation_time}, - ${val.open_mode}, - ${val.allocation_size}, - ${val.timeout}, - smb_string2stringval(${val.filename})); - - return true; - %} - - function proc_smb1_open_andx_response(h: SMB_Header, val: SMB1_open_andx_response): bool - %{ - if ( smb1_open_andx_response ) - BifEvent::generate_smb1_open_andx_response(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(h), - ${val.fid}, - ${val.file_attrs}, - ${val.last_write_time}, - ${val.file_data_size}, - ${val.access_rights}, - ${val.resource_type}, - ${val.nm_pipe_status}, - ${val.open_results}); - - return true; - %} - -}; - - - -type SMB1_open_andx_request(header: SMB_Header, offset: uint16) = record { - word_count : uint8; - andx : SMB_andx; - flags : uint16; - access_mode : uint16; - search_attrs : uint16; - file_attrs : uint16; - creation_time : uint32; - open_mode : uint16; - allocation_size : uint32; - timeout : uint32; - reserved : padding[4]; - byte_count : uint16; - filename : SMB_string(header.unicode, offsetof(filename); - - extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters))); - - andx_command : SMB_andx_command(header, 1, offset+offsetof(andx_command), andx.command); -} &let { - proc : bool = $context.connection.proc_smb1_open_andx_request(header, this); -} &byteorder=littleendian; - -type SMB1_open_andx_response(header: SMB_Header, offset: uint16) = record { - word_count : uint8; - andx : SMB_andx; - fid : uint16; - file_attrs : uint16; - last_write_time : uint32; - file_data_size : uint32; - access_rights : uint16; - resource_type : uint16; - nm_pipe_status : uint16; - open_results : uint16; - reserved : padding[6]; - byte_count : uint16; - - extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters))); - - andx_command : SMB_andx_command(header, 0, offset+offsetof(andx_command), andx.command); -} &let { - proc : bool = $context.connection.proc_smb1_open_andx_response(header, this); -} &byteorder=littleendian; diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index 985e67c068..4b38feefcb 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -127,7 +127,7 @@ type SMB_andx_command(header: SMB_Header, is_orig: bool, offset: uint16, command type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_orig: bool) = case command of { # SMB1 Command Extensions - #SMB_COM_OPEN_ANDX -> open_andx : SMB_open_andx_request(header); + #SMB_COM_OPEN_ANDX -> open_andx : SMB1_open_andx_request(header); SMB_COM_READ_ANDX -> read_andx : SMB1_read_andx_request(header, offset); SMB_COM_WRITE_ANDX -> write_andx : SMB1_write_andx_request(header, offset); SMB_COM_TRANSACTION2 -> transaction2 : SMB1_transaction2_request(header); @@ -205,7 +205,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_ type SMB_Message_Response(header: SMB_Header, offset: uint16, command: uint8, is_orig: bool) = case command of { # SMB1 Command Extensions - #SMB_COM_OPEN_ANDX -> open_andx : SMB_open_andx_response(header, offset); + #SMB_COM_OPEN_ANDX -> open_andx : SMB1_open_andx_response(header, offset); SMB_COM_READ_ANDX -> read_andx : SMB1_read_andx_response(header, offset); SMB_COM_WRITE_ANDX -> write_andx : SMB1_write_andx_response(header, offset); SMB_COM_TRANSACTION2 -> transaction2 : SMB1_transaction2_response(header); diff --git a/src/analyzer/protocol/smb/smb1_com_open_andx.bif b/src/analyzer/protocol/smb/smb1_com_open_andx.bif deleted file mode 100644 index 1ce418e33a..0000000000 --- a/src/analyzer/protocol/smb/smb1_com_open_andx.bif +++ /dev/null @@ -1,41 +0,0 @@ -## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *open andx*. This is sent by the client to create and open a new -## file or open an existing regular file and chain additional messages along with the request. -## -## For more information, see MS-CIFS:2.2.4.41 -## -## c: The connection. -## -## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. -## -## flags: Flags requesting attribute data and locking. -## -## access_mode: The requested access mode. -## -## search_attrs: The set of attributes that the file MUST have in order to be found. -## -## file_attrs: The set of attributes that the file is to have if the file needs to be created. -## -## creation_time: The time of creation if the file is created. -## -## open_mode: The way a file s -## -## length: The number of bytes being requested. -## -## .. bro:see:: smb1_message smb1_open_andx_response -event smb1_open_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); - -## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *open andx*. This is the server response to the *open andx* request. -## -## For more information, see MS-CIFS:2.2.4.41 -## -## c: The connection. -## -## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. -## -## data_len: The length of data from the requested file. -## -## .. bro:see:: smb1_message smb1_open_andx_request -event smb1_open_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%); - diff --git a/src/analyzer/protocol/smb/smb2-com-lock.pac b/src/analyzer/protocol/smb/smb2-com-lock.pac index d6b1f5c2c8..3efd5f4e55 100644 --- a/src/analyzer/protocol/smb/smb2-com-lock.pac +++ b/src/analyzer/protocol/smb/smb2-com-lock.pac @@ -1,5 +1,5 @@ refine connection SMB_Conn += { - + # Needs to be implemented. }; type SMB2_lock = record { diff --git a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac index 4413b56952..cba7b0deb3 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac @@ -1,9 +1,45 @@ + +refine connection SMB_Conn += { + + function proc_smb2_tree_disconnect_request(header: SMB2_Header): bool + %{ + unset_tree_is_pipe(${header.tree_id}); + + if ( smb2_tree_disconnect_request ) + { + BifEvent::generate_smb2_tree_disconnect_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(header)); + } + + return true; + %} + + function proc_smb2_tree_disconnect_response(header: SMB2_Header): bool + %{ + if ( smb2_tree_disconnect_response ) + { + BifEvent::generate_smb2_tree_disconnect_response(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(header)); + } + + return true; + %} + +}; + type SMB2_tree_disconnect_request(header: SMB2_Header) = record { structure_size : uint16; reserved : uint16; +} &let { + proc: bool = $context.connection.proc_smb2_tree_disconnect_request(header); + }; type SMB2_tree_disconnect_response(header: SMB2_Header) = record { structure_size : uint16; reserved : uint16; +} &let { + proc: bool = $context.connection.proc_smb2_tree_disconnect_response(header); }; diff --git a/src/analyzer/protocol/smb/smb2_com_ioctl.bif b/src/analyzer/protocol/smb/smb2_com_ioctl.bif deleted file mode 100644 index 996cee9ad8..0000000000 --- a/src/analyzer/protocol/smb/smb2_com_ioctl.bif +++ /dev/null @@ -1 +0,0 @@ -# Empty. diff --git a/src/analyzer/protocol/smb/smb2_com_lock.bif b/src/analyzer/protocol/smb/smb2_com_lock.bif deleted file mode 100644 index b22403cef0..0000000000 --- a/src/analyzer/protocol/smb/smb2_com_lock.bif +++ /dev/null @@ -1 +0,0 @@ -# Empty. \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif index 996cee9ad8..fdcd5d9d8b 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif @@ -1 +1,22 @@ -# Empty. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *tree disconnect*. This is sent by the client to logically disconnect +## client access to a server resource. +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## .. bro:see:: smb2_message +event smb2_tree_disconnect_request%(c: connection, hdr: SMB2::Header%); + + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *tree disconnect*. This is sent by the server to logically disconnect +## client access to a server resource. +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## .. bro:see:: smb2_message +event smb2_tree_disconnect_response%(c: connection, hdr: SMB2::Header%); From 5e63584b4850d1ff68a9beaf967401a84ba1a8dc Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 1 Nov 2016 16:03:36 -0400 Subject: [PATCH 077/288] Disable SMB2 error data parsing. It is not implemented correctly and is causing a lot of parse errors. --- src/analyzer/protocol/smb/smb2-protocol.pac | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index dd31559126..1cad6e130e 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -243,7 +243,9 @@ type SMB2_error_response(header: SMB2_Header) = record { structure_size : uint16; reserved : padding[2]; byte_count : uint32; - error_data : SMB2_error_data(header, byte_count); + # This is implemented incorrectly and is disabled for now. + #error_data : SMB2_error_data(header, byte_count); + stuff : bytestring &restofdata &transient; } &byteorder = littleendian; type SMB2_logoff_request(header: SMB2_Header) = record { From 24b7566b1fc0eb783ad03d0c39644624cfa6e0eb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 1 Nov 2016 15:30:12 -0700 Subject: [PATCH 078/288] Update submodule [nomail] --- aux/plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/plugins b/aux/plugins index a895d4d6d4..40451868c4 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit a895d4d6d475326f400e4664e08c8f71280d3294 +Subproject commit 40451868c4eaf74a76fbfb2d8e5edf6171f272ca From 15f5deed878032d9a8ea1b7f7dafc951f780144d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 2 Nov 2016 11:51:38 -0400 Subject: [PATCH 079/288] Add a files framework signature for VIM tmp files. --- scripts/base/frameworks/files/magic/general.sig | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index 1703790037..d4470fc780 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -310,4 +310,9 @@ signature file-elf-sharedlib { signature file-elf-coredump { file-mime "application/x-coredump", 50 file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/ +} + +signature file-vim-tmp { + file-mime "application/x-vim-tmp", 100 + file-magic /^b0VIM/ } \ No newline at end of file From 8c3a3b45f3e26f28135b077272106a30337227fa Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 2 Nov 2016 12:13:11 -0700 Subject: [PATCH 080/288] Update VERSION and submodules. --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/btest | 2 +- aux/netcontrol-connectors | 2 +- aux/plugins | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/aux/binpac b/aux/binpac index 3f7b38c293..0965c0453a 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 3f7b38c293e94143a757590918aac82281e46500 +Subproject commit 0965c0453aacec5b44d1a99016748998671cc1c2 diff --git a/aux/bro-aux b/aux/bro-aux index a9c2717232..93b7a8712f 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit a9c2717232764808ca6029f8e727812b58424839 +Subproject commit 93b7a8712f2d7f3a4b53f0009a461b6377222c7e diff --git a/aux/broccoli b/aux/broccoli index 3f036d36d1..765eab50f7 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 3f036d36d1e4a42dd672f8a03caf81e38f318f2d +Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67 diff --git a/aux/broctl b/aux/broctl index dbe680a9d5..c6720dc1ab 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit dbe680a9d5cb1448a2e72365718b359f5d12cd17 +Subproject commit c6720dc1ab66b9e0630a337a5b562bb0eb30f2be diff --git a/aux/broker b/aux/broker index 35d292cbae..68a36ed814 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 35d292cbaef2fafdaede5975d097c27d810382ab +Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da diff --git a/aux/btest b/aux/btest index 16aeb4cc20..9386124933 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 16aeb4cc2055fc482447dd6ff0991f5a2940523c +Subproject commit 938612493358a42b48a4a61b9ab67f2342159936 diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors index c60d24c7b7..9f3d6fce49 160000 --- a/aux/netcontrol-connectors +++ b/aux/netcontrol-connectors @@ -1 +1 @@ -Subproject commit c60d24c7b7cc95367da3ac8381db3463a6fbd147 +Subproject commit 9f3d6fce49cad3b45b5ddd0fe1f3c79186e1d2e7 diff --git a/aux/plugins b/aux/plugins index 40451868c4..9e9ddaec5d 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 40451868c4eaf74a76fbfb2d8e5edf6171f272ca +Subproject commit 9e9ddaec5db1c80d7f5b637d38515ca82b7eb737 From ba5abf8dbebd68d57b4785f3c25b48390054d118 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 2 Nov 2016 12:13:48 -0700 Subject: [PATCH 081/288] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 2f62ddce5d..1ba19516ee 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-beta2 | 2016-11-02 12:13:11 -0700 + + * Release 2.5-beta2. + 2.5-beta-135 | 2016-11-02 09:47:20 -0700 * SMB fixes and cleanup. Includes better SMB error handling, improved DCE_RPC diff --git a/VERSION b/VERSION index df178c76ba..28bd3a20c8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-beta-135 +2.5-beta2 From 3057d2b8fbc68c8758fe5e21d74223520b67eb9a Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 8 Nov 2016 15:25:28 -0600 Subject: [PATCH 082/288] Fix various typos in the NetControl docs Also fixed warnings that were seen while building the docs with "make doc". --- doc/frameworks/netcontrol.rst | 48 +++++------ .../netcontrol/catch-and-release.bro | 42 +++++----- .../base/frameworks/netcontrol/cluster.bro | 6 +- scripts/base/frameworks/netcontrol/drop.bro | 16 ++-- scripts/base/frameworks/netcontrol/main.bro | 84 +++++++++---------- scripts/base/frameworks/netcontrol/plugin.bro | 10 +-- .../base/frameworks/netcontrol/plugins/README | 2 +- .../frameworks/netcontrol/plugins/acld.bro | 30 +++---- .../frameworks/netcontrol/plugins/broker.bro | 22 ++--- .../netcontrol/plugins/openflow.bro | 26 +++--- scripts/base/frameworks/netcontrol/shunt.bro | 10 +-- scripts/base/frameworks/netcontrol/types.bro | 27 +++--- 12 files changed, 159 insertions(+), 164 deletions(-) diff --git a/doc/frameworks/netcontrol.rst b/doc/frameworks/netcontrol.rst index 5dcd4eda15..aeea6a70ec 100644 --- a/doc/frameworks/netcontrol.rst +++ b/doc/frameworks/netcontrol.rst @@ -31,12 +31,12 @@ NetControl Architecture NetControl architecture (click to enlarge). The basic architecture of the NetControl framework is shown in the figure above. -Conceptually, the NetControl framework sits inbetween the user provided scripts +Conceptually, the NetControl framework sits between the user provided scripts (which use the Bro event engine) and the network device (which can either be a hardware or software device), that is used to implement the commands. The NetControl framework supports a number of high-level calls, like the -:bro:see:`NetControl::drop_address` function, or lower a lower level rule +:bro:see:`NetControl::drop_address` function, or a lower level rule syntax. After a rule has been added to the NetControl framework, NetControl sends the rule to one or several of its *backends*. Each backend is responsible to communicate with a single hard- or software device. The NetControl framework @@ -90,16 +90,12 @@ high-level functions. * - :bro:see:`NetControl::drop_address` - Calling this function causes NetControl to block all packets involving - an IP address from being forwarded + an IP address from being forwarded. * - :bro:see:`NetControl::drop_connection` - Calling this function stops all packets of a specific connection (identified by its 5-tuple) from being forwarded. - * - :bro:see:`NetControl::drop_address` - - Calling this function causes NetControl to block all packets involving - an IP address from being forwarded - * - :bro:see:`NetControl::drop_address_catch_release` - Calling this function causes all packets of a specific source IP to be blocked. This function uses catch-and-release functionality and the IP @@ -114,7 +110,7 @@ high-level functions. resources by shunting flows that have been identified as being benign. * - :bro:see:`NetControl::redirect_flow` - - Calling this function causes NetControl to redirect an uni-directional + - Calling this function causes NetControl to redirect a uni-directional flow to another port of the networking hardware. * - :bro:see:`NetControl::quarantine_host` @@ -122,7 +118,7 @@ high-level functions. traffic to a host with a special DNS server, which resolves all queries as pointing to itself. The quarantined host is only allowed between the special server, which will serve a warning message detailing the next - steps for the user + steps for the user. * - :bro:see:`NetControl::whitelist_address` - Calling this function causes NetControl to push a whitelist entry for an @@ -154,7 +150,7 @@ entries, which show that the debug plugin has been initialized and added. Afterwards, there are two :bro:see:`NetControl::RULE` entries; the first shows that the addition of a rule has been requested (state is :bro:see:`NetControl::REQUESTED`). The following line shows that the rule was -successfully added (the state is :bro:see:`NetControl::SUCCEEDED`). The +successfully added (the state is :bro:see:`NetControl::SUCCEEDED`). The remainder of the log line gives more information about the added rule, which in our case applies to a specific 5-tuple. @@ -227,14 +223,14 @@ The *target* of a rule specifies if the rule is applied in the *forward path*, and affects packets as they are forwarded through the network, or if it affects the *monitor path* and only affects the packets that are sent to Bro, but not the packets that traverse the network. The *entity* specifies the address, -connection, etc. that the rule applies to. In addition, each notice has a +connection, etc. that the rule applies to. In addition, each rule has a *timeout* (which can be left empty), a *priority* (with higher priority rules overriding lower priority rules). Furthermore, a *location* string with more text information about each rule can be provided. -There are a couple more fields that only needed for some rule types. For +There are a couple more fields that are only needed for some rule types. For example, when you insert a redirect rule, you have to specify the port that -packets should be redirected too. All these fields are shown in the +packets should be redirected to. All these fields are shown in the :bro:see:`NetControl::Rule` documentation. To give an example on how to construct your own rule, we are going to write @@ -243,7 +239,7 @@ difference between our function and the one provided by NetControl is the fact that the NetControl function has additional functionality, e.g. for logging. Once again, we are going to test our function with a simple example that simply -drops all connections on the Network: +drops all connections on the network: .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro @@ -254,7 +250,7 @@ drops all connections on the Network: The last example shows that :bro:see:`NetControl::add_rule` returns a string identifier that is unique for each rule (uniqueness is not preserved across -restarts or Bro). This rule id can be used to later remove rules manually using +restarts of Bro). This rule id can be used to later remove rules manually using :bro:see:`NetControl::remove_rule`. Similar to :bro:see:`NetControl::add_rule`, all the high-level functions also @@ -264,7 +260,7 @@ Interacting with Rules ---------------------- The NetControl framework offers a number of different ways to interact with -Rules. Before a rule is applied by the framework, a number of different hooks +rules. Before a rule is applied by the framework, a number of different hooks allow you to either modify or discard rules before they are added. Furthermore, a number of events can be used to track the lifecycle of a rule while it is being managed by the NetControl framework. It is also possible to query and @@ -276,7 +272,7 @@ Rule Policy The hook :bro:see:`NetControl::rule_policy` provides the mechanism for modifying or discarding a rule before it is sent onwards to the backends. Hooks can be thought of as multi-bodied functions and using them looks very similar to -handling events. In difference to events, they are processed immediately. Like +handling events. In contrast to events, they are processed immediately. Like events, hooks can have priorities to sort the order in which they are applied. Hooks can use the ``break`` keyword to show that processing should be aborted; if any :bro:see:`NetControl::rule_policy` hook uses ``break``, the rule will be @@ -315,7 +311,7 @@ this order: * - :bro:see:`NetControl::rule_new` - Signals that a new rule is created by the NetControl framework due to - :bro:see:`NetControl::add_rule`. At this point of time, the rule has not + :bro:see:`NetControl::add_rule`. At this point, the rule has not yet been added to any backend. * - :bro:see:`NetControl::rule_added` @@ -328,15 +324,15 @@ this order: * - :bro:see:`NetControl::rule_timeout` - Signals that a rule timeout was reached. If the hardware does not support automatic timeouts, the NetControl framework will automatically call - bro:see:`NetControl::remove_rule`. + :bro:see:`NetControl::remove_rule`. * - :bro:see:`NetControl::rule_removed` - Signals that a new rule has successfully been removed a backend. * - :bro:see:`NetControl::rule_destroyed` - This event is the pendant to :bro:see:`NetControl::rule_added`, and - reports that a rule is no longer be tracked by the NetControl framework. - This happens, for example, when a rule was removed from all backend. + reports that a rule is no longer being tracked by the NetControl framework. + This happens, for example, when a rule was removed from all backends. * - :bro:see:`NetControl::rule_error` - This event is raised whenever an error occurs during any rule operation. @@ -385,7 +381,7 @@ NetControl also comes with a blocking function that uses an approach called Catch and release is a blocking scheme that conserves valuable rule space in your hardware. Instead of using long-lasting blocks, catch and release first -only installs blocks for short amount of times (typically a few minutes). After +only installs blocks for a short amount of time (typically a few minutes). After these minutes pass, the block is lifted, but the IP address is added to a watchlist and the IP address will immediately be re-blocked again (for a longer amount of time), if it is seen reappearing in any traffic, no matter if the new @@ -397,7 +393,7 @@ addresses that only are seen once for a short time are only blocked for a few minutes, monitored for a while and then forgotten. IP addresses that keep appearing will get re-blocked for longer amounts of time. -In difference to the other high-level functions that we documented so far, the +In contrast to the other high-level functions that we documented so far, the catch and release functionality is much more complex and adds a number of different specialized functions to NetControl. The documentation for catch and release is contained in the file @@ -481,7 +477,7 @@ The plugins that currently ship with NetControl are: plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro`. * - PacketFilter plugin - - This plugin adds uses the Bro process-level packet filter (see + - This plugin uses the Bro process-level packet filter (see :bro:see:`install_src_net_filter` and :bro:see:`install_dst_net_filter`). Since the functionality of the PacketFilter is limited, this plugin is mostly for demonstration purposes. The source of this @@ -496,7 +492,7 @@ Activating plugins In the API reference part of this document, we already used the debug plugin. To use the plugin, we first had to instantiate it by calling -:bro:see:`NetControl::NetControl::create_debug` and then add it to NetControl by +:bro:see:`NetControl::create_debug` and then add it to NetControl by calling :bro:see:`NetControl::activate`. As we already hinted before, NetControl supports having several plugins that are @@ -607,7 +603,7 @@ Writing plugins In addition to using the plugins that are part of NetControl, you can write your own plugins to interface with hard- or software that we currently do not support -out of the Box. +out of the box. Creating your own plugin is easy; besides a bit of boilerplate, you only need to create two functions: one that is called when a rule is added, and one that is diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index f5fd38b2e3..2d28274f77 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -10,39 +10,39 @@ export { redef enum Log::ID += { CATCH_RELEASE }; - ## Thhis record is used is used for storing information about current blocks that are + ## This record is used for storing information about current blocks that are ## part of catch and release. type BlockInfo: record { - ## Absolute time indicating until when a block is inserted using NetControl + ## Absolute time indicating until when a block is inserted using NetControl. block_until: time &optional; - ## Absolute time indicating until when an IP address is watched to reblock it + ## Absolute time indicating until when an IP address is watched to reblock it. watch_until: time; - ## Number of times an IP address was reblocked + ## Number of times an IP address was reblocked. num_reblocked: count &default=0; - ## Number indicating at which catch and release interval we currently are + ## Number indicating at which catch and release interval we currently are. current_interval: count; ## ID of the inserted block, if any. current_block_id: string; - ## User specified string + ## User specified string. location: string &optional; }; ## The enum that contains the different kinds of messages that are logged by - ## catch and release + ## catch and release. type CatchReleaseActions: enum { - ## Log lines marked with info are purely informational; no action was taken + ## Log lines marked with info are purely informational; no action was taken. INFO, ## A rule for the specified IP address already existed in NetControl (outside ## of catch-and-release). Catch and release did not add a new rule, but is now - ## watching the IP address and will add a new rule after the current rule expired. + ## watching the IP address and will add a new rule after the current rule expires. ADDED, - ## A drop was requested by catch and release + ## A drop was requested by catch and release. DROP, - ## A address was succesfully blocked by catch and release + ## An address was successfully blocked by catch and release. DROPPED, - ## An address was unblocked after the timeout expired + ## An address was unblocked after the timeout expired. UNBLOCK, - ## An address was forgotten because it did not reappear within the `watch_until` interval + ## An address was forgotten because it did not reappear within the `watch_until` interval. FORGOTTEN, ## A watched IP address was seen again; catch and release will re-block it. SEEN_AGAIN @@ -52,7 +52,7 @@ export { type CatchReleaseInfo: record { ## The absolute time indicating when the action for this log-line occured. ts: time &log; - ## The rule id that this log lone refers to. + ## The rule id that this log line refers to. rule_id: string &log &optional; ## The IP address that this line refers to. ip: addr &log; @@ -85,7 +85,7 @@ export { ## ## a: The address to be dropped. ## - ## t: How long to drop it, with 0 being indefinitly. + ## t: How long to drop it, with 0 being indefinitely. ## ## location: An optional string describing where the drop was triggered. ## @@ -101,17 +101,17 @@ export { ## ## a: The address to be unblocked. ## - ## reason: A reason for the unblock + ## reason: A reason for the unblock. ## ## Returns: True if the address was unblocked. global unblock_address_catch_release: function(a: addr, reason: string &default="") : bool; - ## This function can be called to notify the cach and release script that activity by + ## This function can be called to notify the catch and release script that activity by ## an IP address was seen. If the respective IP address is currently monitored by catch and - ## release and not blocked, the block will be re-instated. See the documentation of watch_new_connection + ## release and not blocked, the block will be reinstated. See the documentation of watch_new_connection ## which events the catch and release functionality usually monitors for activity. ## - ## a: The address that was seen and should be re-dropped if it is being watched + ## a: The address that was seen and should be re-dropped if it is being watched. global catch_release_seen: function(a: addr); ## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release. @@ -144,7 +144,7 @@ export { ## should have been blocked. const catch_release_warn_blocked_ip_encountered = F &redef; - ## Time intervals for which a subsequent drops of the same IP take + ## Time intervals for which subsequent drops of the same IP take ## effect. const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef; @@ -160,7 +160,7 @@ export { global catch_release_encountered: event(a: addr); } -# set that is used to only send seen notifications to the master every ~30 seconds. +# Set that is used to only send seen notifications to the master every ~30 seconds. global catch_release_recently_notified: set[addr] &create_expire=30secs; event bro_init() &priority=5 diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.bro index 5b71e40659..9abe44b34d 100644 --- a/scripts/base/frameworks/netcontrol/cluster.bro +++ b/scripts/base/frameworks/netcontrol/cluster.bro @@ -23,7 +23,7 @@ redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout function activate(p: PluginState, priority: int) { - # we only run the activate function on the manager. + # We only run the activate function on the manager. if ( Cluster::local_node_type() != Cluster::MANAGER ) return; @@ -38,8 +38,8 @@ function add_rule(r: Rule) : string return add_rule_impl(r); else { - # we sync rule entities accross the cluster, so we - # acually can test if the rule already exists. If yes, + # We sync rule entities accross the cluster, so we + # actually can test if the rule already exists. If yes, # refuse insertion already at the node. if ( [r$entity, r$ty] in rule_entities ) diff --git a/scripts/base/frameworks/netcontrol/drop.bro b/scripts/base/frameworks/netcontrol/drop.bro index 8209df2f51..8b31996057 100644 --- a/scripts/base/frameworks/netcontrol/drop.bro +++ b/scripts/base/frameworks/netcontrol/drop.bro @@ -11,34 +11,34 @@ export { ## ## a: The address to be dropped. ## - ## t: How long to drop it, with 0 being indefinitly. + ## t: How long to drop it, with 0 being indefinitely. ## ## location: An optional string describing where the drop was triggered. ## - ## Returns: The id of the inserted rule on succes and zero on failure. + ## Returns: The id of the inserted rule on success and zero on failure. global drop_address: function(a: addr, t: interval, location: string &default="") : string; - ## Stops all packets involving an connection address from being forwarded. + ## Stops all packets involving a connection address from being forwarded. ## ## c: The connection to be dropped. ## - ## t: How long to drop it, with 0 being indefinitly. + ## t: How long to drop it, with 0 being indefinitely. ## ## location: An optional string describing where the drop was triggered. ## - ## Returns: The id of the inserted rule on succes and zero on failure. + ## Returns: The id of the inserted rule on success and zero on failure. global drop_connection: function(c: conn_id, t: interval, location: string &default="") : string; type DropInfo: record { ## Time at which the recorded activity occurred. ts: time &log; - ## ID of the rule; unique during each Bro run + ## ID of the rule; unique during each Bro run. rule_id: string &log; orig_h: addr &log; ##< The originator's IP address. orig_p: port &log &optional; ##< The originator's port number. resp_h: addr &log &optional; ##< The responder's IP address. resp_p: port &log &optional; ##< The responder's port number. - ## Expiry time of the shunt + ## Expiry time of the shunt. expire: interval &log; ## Location where the underlying action was triggered. location: string &log &optional; @@ -47,7 +47,7 @@ export { ## Hook that allows the modification of rules passed to drop_* before they ## are passed on. If one of the hooks uses break, the rule is ignored. ## - ## r: The rule to be added + ## r: The rule to be added. global NetControl::drop_rule_policy: hook(r: Rule); ## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo` diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro index 0e5d0cf7be..3e9b35fa8c 100644 --- a/scripts/base/frameworks/netcontrol/main.bro +++ b/scripts/base/frameworks/netcontrol/main.bro @@ -7,7 +7,7 @@ ##! restrictions on entities, such as specific connections or IP addresses. ##! ##! This framework has two APIs: a high-level and low-level. The high-level API -##! provides convinience functions for a set of common operations. The +##! provides convenience functions for a set of common operations. The ##! low-level API provides full flexibility. module NetControl; @@ -25,7 +25,7 @@ export { ## Activates a plugin. ## - ## p: The plugin to acticate. + ## p: The plugin to activate. ## ## priority: The higher the priority, the earlier this plugin will be checked ## whether it supports an operation, relative to other plugins. @@ -48,37 +48,37 @@ export { ## Allows all traffic involving a specific IP address to be forwarded. ## - ## a: The address to be whitelistet. + ## a: The address to be whitelisted. ## - ## t: How long to whitelist it, with 0 being indefinitly. + ## t: How long to whitelist it, with 0 being indefinitely. ## ## location: An optional string describing whitelist was triddered. ## - ## Returns: The id of the inserted rule on succes and zero on failure. + ## Returns: The id of the inserted rule on success and zero on failure. global whitelist_address: function(a: addr, t: interval, location: string &default="") : string; ## Allows all traffic involving a specific IP subnet to be forwarded. ## - ## s: The subnet to be whitelistet. + ## s: The subnet to be whitelisted. ## - ## t: How long to whitelist it, with 0 being indefinitly. + ## t: How long to whitelist it, with 0 being indefinitely. ## ## location: An optional string describing whitelist was triddered. ## - ## Returns: The id of the inserted rule on succes and zero on failure. + ## Returns: The id of the inserted rule on success and zero on failure. global whitelist_subnet: function(s: subnet, t: interval, location: string &default="") : string; - ## Redirects an uni-directional flow to another port. + ## Redirects a uni-directional flow to another port. ## ## f: The flow to redirect. ## - ## out_port: Port to redirect the flow to + ## out_port: Port to redirect the flow to. ## - ## t: How long to leave the redirect in place, with 0 being indefinitly. + ## t: How long to leave the redirect in place, with 0 being indefinitely. ## ## location: An optional string describing where the redirect was triggered. ## - ## Returns: The id of the inserted rule on succes and zero on failure. + ## Returns: The id of the inserted rule on success and zero on failure. global redirect_flow: function(f: flow_id, out_port: count, t: interval, location: string &default="") : string; ## Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining @@ -87,13 +87,13 @@ export { ## instead. Only http communication infected to quarantinehost is allowed. All other network communication ## is blocked. ## - ## infected: the host to quarantine + ## infected: the host to quarantine. ## - ## dns: the network dns server + ## dns: the network dns server. ## - ## quarantine: the quarantine server running a dns and a web server + ## quarantine: the quarantine server running a dns and a web server. ## - ## t: how long to leave the quarantine in place + ## t: how long to leave the quarantine in place. ## ## Returns: Vector of inserted rules on success, empty list on failure. global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string; @@ -111,7 +111,7 @@ export { ## ## r: The rule to install. ## - ## Returns: If succesful, returns an ID string unique to the rule that can + ## Returns: If successful, returns an ID string unique to the rule that can ## later be used to refer to it. If unsuccessful, returns an empty ## string. The ID is also assigned to ``r$id``. Note that ## "successful" means "a plugin knew how to handle the rule", it @@ -126,19 +126,19 @@ export { ## ## reason: Optional string argument giving information on why the rule was removed. ## - ## Returns: True if succesful, the relevant plugin indicated that it knew + ## Returns: True if successful, the relevant plugin indicated that it knew ## how to handle the removal. Note that again "success" means the - ## plugin accepted the removal. They might still fail to put it + ## plugin accepted the removal. It might still fail to put it ## into effect, as that might happen asynchronously and thus go ## wrong at that point. global remove_rule: function(id: string, reason: string &default="") : bool; - ## Deletes a rule without removing in from the backends to which it has been - ## added before. This mean that no messages will be sent to the switches to which + ## Deletes a rule without removing it from the backends to which it has been + ## added before. This means that no messages will be sent to the switches to which ## the rule has been added; if it is not removed from them by a separate mechanism, ## it will stay installed and not be removed later. ## - ## id: The rule to delete, specified as the ID returned by :bro:see:`add_rule` . + ## id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`. ## ## reason: Optional string argument giving information on why the rule was deleted. ## @@ -152,9 +152,9 @@ export { ## the worker, the internal rule variables (starting with _) will not reflect the ## current state. ## - ## ip: The ip address to search for + ## ip: The ip address to search for. ## - ## Returns: vector of all rules affecting the IP address + ## Returns: vector of all rules affecting the IP address. global find_rules_addr: function(ip: addr) : vector of Rule; ## Searches all rules affecting a certain subnet. @@ -171,9 +171,9 @@ export { ## the worker, the internal rule variables (starting with _) will not reflect the ## current state. ## - ## sn: The subnet to search for + ## sn: The subnet to search for. ## - ## Returns: vector of all rules affecting the subnet + ## Returns: vector of all rules affecting the subnet. global find_rules_subnet: function(sn: subnet) : vector of Rule; ###### Asynchronous feedback on rules. @@ -201,7 +201,7 @@ export { global rule_exists: event(r: Rule, p: PluginState, msg: string &default=""); ## Reports that a plugin reports a rule was removed due to a - ## remove: function() vall. + ## remove_rule function call. ## ## r: The rule now removed. ## @@ -234,9 +234,9 @@ export { ## This event is raised when a new rule is created by the NetControl framework ## due to a call to add_rule. From this moment, until the rule_destroyed event - ## is raised, the rule is tracked internally by the NetControl framewory. + ## is raised, the rule is tracked internally by the NetControl framework. ## - ## Note that this event does not mean that a rule was succesfully added by + ## Note that this event does not mean that a rule was successfully added by ## any backend; it just means that the rule has been accepted and addition ## to the specified backend is queued. To get information when rules are actually ## installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout @@ -248,15 +248,15 @@ export { ## was removed by all plugins to which it was added, by the fact that it timed out ## or due to rule errors. ## - ## To get the cause or a rule remove, hook the rule_removed, rule_timeout and - ## rule_error calls. + ## To get the cause of a rule remove, catch the rule_removed, rule_timeout and + ## rule_error events. global rule_destroyed: event(r: Rule); ## Hook that allows the modification of rules passed to add_rule before they ## are passed on to the plugins. If one of the hooks uses break, the rule is ## ignored and not passed on to any plugin. ## - ## r: The rule to be added + ## r: The rule to be added. global NetControl::rule_policy: hook(r: Rule); ##### Plugin functions @@ -279,19 +279,19 @@ export { ## State of an entry in the NetControl log. type InfoState: enum { - REQUESTED, ##< The request to add/remove a rule was sent to the respective backend - SUCCEEDED, ##< A rule was succesfully added by a backend - EXISTS, ##< A backend reported that a rule was already existing - FAILED, ##< A rule addition failed - REMOVED, ##< A rule was succesfully removed by a backend - TIMEOUT, ##< A rule timeout was triggered by the NetControl framework or a backend + REQUESTED, ##< The request to add/remove a rule was sent to the respective backend. + SUCCEEDED, ##< A rule was successfully added by a backend. + EXISTS, ##< A backend reported that a rule was already existing. + FAILED, ##< A rule addition failed. + REMOVED, ##< A rule was successfully removed by a backend. + TIMEOUT, ##< A rule timeout was triggered by the NetControl framework or a backend. }; ## The record type defining the column fields of the NetControl log. type Info: record { ## Time at which the recorded activity occurred. ts: time &log; - ## ID of the rule; unique during each Bro run + ## ID of the rule; unique during each Bro run. rule_id: string &log &optional; ## Type of the log entry. category: InfoCategory &log &optional; @@ -311,9 +311,9 @@ export { mod: string &log &optional; ## String with an additional message. msg: string &log &optional; - ## Number describing the priority of the log entry + ## Number describing the priority of the log entry. priority: int &log &optional; - ## Expiry time of the log entry + ## Expiry time of the log entry. expire: interval &log &optional; ## Location where the underlying action was triggered. location: string &log &optional; @@ -333,7 +333,7 @@ redef record Rule += { _active_plugin_ids: set[count] &default=count_set(); ## Internally set to plugins where the rule should not be removed upon timeout. _no_expire_plugins: set[count] &default=count_set(); - ## Track if the rule was added succesfully by all responsible plugins. + ## Track if the rule was added successfully by all responsible plugins. _added: bool &default=F; }; diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.bro index 36fa25a8f0..c4825095fb 100644 --- a/scripts/base/frameworks/netcontrol/plugin.bro +++ b/scripts/base/frameworks/netcontrol/plugin.bro @@ -9,7 +9,7 @@ export { ## ## Individual plugins commonly extend this record to suit their needs. type PluginState: record { - ## Table for a plugin to store custom, instance-specfific state. + ## Table for a plugin to store custom, instance-specific state. config: table[string] of string &default=table(); ## Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally. @@ -18,14 +18,14 @@ export { ## Set internally. _priority: int &default=+0; - ## Set internally. Signifies if the plugin has returned that it has activated succesfully + ## Set internally. Signifies if the plugin has returned that it has activated succesfully. _activated: bool &default=F; }; ## Definition of a plugin. ## ## Generally a plugin needs to implement only what it can support. By - ## returning failure, it indicates that it can't support something and the + ## returning failure, it indicates that it can't support something and ## the framework will then try another plugin, if available; or inform the ## that the operation failed. If a function isn't implemented by a plugin, ## that's considered an implicit failure to support the operation. @@ -33,7 +33,7 @@ export { ## If plugin accepts a rule operation, it *must* generate one of the reporting ## events ``rule_{added,remove,error}`` to signal if it indeed worked out; ## this is separate from accepting the operation because often a plugin - ## will only know later (i.e., asynchrously) if that was an error for + ## will only know later (i.e., asynchronously) if that was an error for ## something it thought it could handle. type Plugin: record { ## Returns a descriptive name of the plugin instance, suitable for use in logging @@ -64,7 +64,7 @@ export { add_rule: function(state: PluginState, r: Rule) : bool &optional; ## Implements the remove_rule() operation. This will only be called for - ## rules that the plugins has previously accepted with add_rule(). The + ## rules that the plugin has previously accepted with add_rule(). The ## ``id`` field will match that of the add_rule() call. Generally, ## a plugin that accepts an add_rule() should also accept the ## remove_rule(). diff --git a/scripts/base/frameworks/netcontrol/plugins/README b/scripts/base/frameworks/netcontrol/plugins/README index 12af1779c9..5823252cb3 100644 --- a/scripts/base/frameworks/netcontrol/plugins/README +++ b/scripts/base/frameworks/netcontrol/plugins/README @@ -1 +1 @@ -Plugins for the NetControl framework +Plugins for the NetControl framework. diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro index 5f729c284f..2c4760e066 100644 --- a/scripts/base/frameworks/netcontrol/plugins/acld.bro +++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro @@ -17,24 +17,24 @@ export { }; type AcldConfig: record { - ## The acld topic used to send events to + ## The acld topic to send events to. acld_topic: string; - ## Broker host to connect to + ## Broker host to connect to. acld_host: addr; - ## Broker port to connect to + ## Broker port to connect to. acld_port: port; - ## Do we accept rules for the monitor path? Default false + ## Do we accept rules for the monitor path? Default false. monitor: bool &default=F; - ## Do we accept rules for the forward path? Default true + ## Do we accept rules for the forward path? Default true. forward: bool &default=T; ## Predicate that is called on rule insertion or removal. ## - ## p: Current plugin state + ## p: Current plugin state. ## - ## r: The rule to be inserted or removed + ## r: The rule to be inserted or removed. ## - ## Returns: T if the rule can be handled by the current backend, F otherwhise + ## Returns: T if the rule can be handled by the current backend, F otherwise. check_pred: function(p: PluginState, r: Rule): bool &optional; }; @@ -43,27 +43,27 @@ export { redef record PluginState += { acld_config: AcldConfig &optional; - ## The ID of this acld instance - for the mapping to PluginStates + ## The ID of this acld instance - for the mapping to PluginStates. acld_id: count &optional; }; ## Hook that is called after a rule is converted to an acld rule. ## The hook may modify the rule before it is sent to acld. ## Setting the acld command to F will cause the rule to be rejected - ## by the plugin + ## by the plugin. ## - ## p: Current plugin state + ## p: Current plugin state. ## - ## r: The rule to be inserted or removed + ## r: The rule to be inserted or removed. ## - ## ar: The acld rule to be inserted or removed + ## ar: The acld rule to be inserted or removed. global NetControl::acld_rule_policy: hook(p: PluginState, r: Rule, ar: AclRule); - ## Events that are sent from us to Broker + ## Events that are sent from us to Broker. global acld_add_rule: event(id: count, r: Rule, ar: AclRule); global acld_remove_rule: event(id: count, r: Rule, ar: AclRule); - ## Events that are sent from Broker to us + ## Events that are sent from Broker to us. global acld_rule_added: event(id: count, r: Rule, msg: string); global acld_rule_removed: event(id: count, r: Rule, msg: string); global acld_rule_exists: event(id: count, r: Rule, msg: string); diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro index 465ca5b9fc..cb1d5dd786 100644 --- a/scripts/base/frameworks/netcontrol/plugins/broker.bro +++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro @@ -1,4 +1,4 @@ -##! Broker plugin for the netcontrol framework. Sends the raw data structures +##! Broker plugin for the NetControl framework. Sends the raw data structures ##! used in NetControl on to Broker to allow for easy handling, e.g., of ##! command-line scripts. @@ -13,25 +13,25 @@ module NetControl; export { ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`. type BrokerConfig: record { - ## The broker topic used to send events to + ## The broker topic to send events to. topic: string &optional; - ## Broker host to connect to + ## Broker host to connect to. host: addr &optional; - ## Broker port to connect to + ## Broker port to connect to. bport: port &optional; - ## Do we accept rules for the monitor path? Default true + ## Do we accept rules for the monitor path? Default true. monitor: bool &default=T; - ## Do we accept rules for the forward path? Default true + ## Do we accept rules for the forward path? Default true. forward: bool &default=T; ## Predicate that is called on rule insertion or removal. ## - ## p: Current plugin state + ## p: Current plugin state. ## - ## r: The rule to be inserted or removed + ## r: The rule to be inserted or removed. ## - ## Returns: T if the rule can be handled by the current backend, F otherwhise + ## Returns: T if the rule can be handled by the current backend, F otherwise. check_pred: function(p: PluginState, r: Rule): bool &optional; }; @@ -39,9 +39,9 @@ export { global create_broker: function(config: BrokerConfig, can_expire: bool) : PluginState; redef record PluginState += { - ## OpenFlow controller for NetControl Broker plugin + ## OpenFlow controller for NetControl Broker plugin. broker_config: BrokerConfig &optional; - ## The ID of this broker instance - for the mapping to PluginStates + ## The ID of this broker instance - for the mapping to PluginStates. broker_id: count &optional; }; diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro index 234e0b47c7..07be594b57 100644 --- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro +++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro @@ -9,11 +9,11 @@ module NetControl; export { ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`. type OfConfig: record { - monitor: bool &default=T; ##< accept rules that target the monitor path - forward: bool &default=T; ##< accept rules that target the forward path - idle_timeout: count &default=0; ##< default OpenFlow idle timeout - table_id: count &optional; ##< default OpenFlow table ID. - priority_offset: int &default=+0; ##< add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function. + monitor: bool &default=T; ##< Accept rules that target the monitor path. + forward: bool &default=T; ##< Accept rules that target the forward path. + idle_timeout: count &default=0; ##< Default OpenFlow idle timeout. + table_id: count &optional; ##< Default OpenFlow table ID. + priority_offset: int &default=+0; ##< Add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function. ## Predicate that is called on rule insertion or removal. ## @@ -21,7 +21,7 @@ export { ## ## r: The rule to be inserted or removed. ## - ## Returns: T if the rule can be handled by the current backend, F otherwhise. + ## Returns: T if the rule can be handled by the current backend, F otherwise. check_pred: function(p: PluginState, r: Rule): bool &optional; ## This predicate is called each time an OpenFlow match record is created. @@ -34,10 +34,10 @@ export { ## ## m: The openflow match structures that were generated for this rules. ## - ## Returns: The modified OpenFlow match structures that will be used in place the structures passed in m. + ## Returns: The modified OpenFlow match structures that will be used in place of the structures passed in m. match_pred: function(p: PluginState, e: Entity, m: vector of OpenFlow::ofp_match): vector of OpenFlow::ofp_match &optional; - ## This predicate is called before an FlowMod message is sent to the OpenFlow + ## This predicate is called before a FlowMod message is sent to the OpenFlow ## device. It can modify the FlowMod message before it is passed on. ## ## p: Current plugin state. @@ -46,14 +46,14 @@ export { ## ## m: The OpenFlow FlowMod message. ## - ## Returns: The modified FloMod message that is used in lieu of m. + ## Returns: The modified FlowMod message that is used in lieu of m. flow_mod_pred: function(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_mod): OpenFlow::ofp_flow_mod &optional; }; redef record PluginState += { - ## OpenFlow controller for NetControl OpenFlow plugin + ## OpenFlow controller for NetControl OpenFlow plugin. of_controller: OpenFlow::Controller &optional; - ## OpenFlow configuration record that is passed on initialization + ## OpenFlow configuration record that is passed on initialization. of_config: OfConfig &optional; }; @@ -66,11 +66,11 @@ export { duration_sec: double &default=0.0; }; - ## the time interval after which an openflow message is considered to be timed out + ## The time interval after which an openflow message is considered to be timed out ## and we delete it from our internal tracking. const openflow_message_timeout = 20secs &redef; - ## the time interval after we consider a flow timed out. This should be fairly high (or + ## The time interval after we consider a flow timed out. This should be fairly high (or ## even disabled) if you expect a lot of long flows. However, one also will have state ## buildup for quite a while if keeping this around... const openflow_flow_timeout = 24hrs &redef; diff --git a/scripts/base/frameworks/netcontrol/shunt.bro b/scripts/base/frameworks/netcontrol/shunt.bro index e1a5715582..1275be1560 100644 --- a/scripts/base/frameworks/netcontrol/shunt.bro +++ b/scripts/base/frameworks/netcontrol/shunt.bro @@ -11,21 +11,21 @@ export { ## ## f: The flow to shunt. ## - ## t: How long to leave the shunt in place, with 0 being indefinitly. + ## t: How long to leave the shunt in place, with 0 being indefinitely. ## ## location: An optional string describing where the shunt was triggered. ## - ## Returns: The id of the inserted rule on succes and zero on failure. + ## Returns: The id of the inserted rule on success and zero on failure. global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string; type ShuntInfo: record { ## Time at which the recorded activity occurred. ts: time &log; - ## ID of the rule; unique during each Bro run + ## ID of the rule; unique during each Bro run. rule_id: string &log; - ## Flow ID of the shunted flow + ## Flow ID of the shunted flow. f: flow_id &log; - ## Expiry time of the shunt + ## Expiry time of the shunt. expire: interval &log; ## Location where the underlying action was triggered. location: string &log &optional; diff --git a/scripts/base/frameworks/netcontrol/types.bro b/scripts/base/frameworks/netcontrol/types.bro index dce3ed4223..cc42de14e0 100644 --- a/scripts/base/frameworks/netcontrol/types.bro +++ b/scripts/base/frameworks/netcontrol/types.bro @@ -1,4 +1,4 @@ -##! This file defines the that are used by the NetControl framework. +##! This file defines the types that are used by the NetControl framework. ##! ##! The most important type defined in this file is :bro:see:`NetControl::Rule`, ##! which is used to describe all rules that can be expressed by the NetControl framework. @@ -17,17 +17,16 @@ export { ## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`. const whitelist_priority: int = +5 &redef; - ## The EntityType is used in :bro:id:`Entity` for defining the entity that a rule - ## applies to. + ## Type defining the entity that a rule applies to. type EntityType: enum { ADDRESS, ##< Activity involving a specific IP address. CONNECTION, ##< Activity involving all of a bi-directional connection's activity. - FLOW, ##< Actitivy involving a uni-directional flow's activity. Can contain wildcards. + FLOW, ##< Activity involving a uni-directional flow's activity. Can contain wildcards. MAC, ##< Activity involving a MAC address. }; - ## Flow is used in :bro:id:`Entity` together with :bro:enum:`NetControl::FLOW` to specify - ## a uni-directional flow that a :bro:id:`Rule` applies to. + ## Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify + ## a uni-directional flow that a rule applies to. ## ## If optional fields are not set, they are interpreted as wildcarded. type Flow: record { @@ -39,7 +38,7 @@ export { dst_m: string &optional; ##< The destination MAC address. }; - ## Type defining the entity an :bro:id:`Rule` is operating on. + ## Type defining the entity a rule is operating on. type Entity: record { ty: EntityType; ##< Type of entity. conn: conn_id &optional; ##< Used with :bro:enum:`NetControl::CONNECTION`. @@ -48,7 +47,7 @@ export { mac: string &optional; ##< Used with :bro:enum:`NetControl::MAC`. }; - ## The :bro:id`TargetType` defined the target of a :bro:id:`Rule`. + ## Type defining the target of a rule. ## ## Rules can either be applied to the forward path, affecting all network traffic, or ## on the monitor path, only affecting the traffic that is sent to Bro. The second @@ -60,7 +59,7 @@ export { }; ## Type of rules that the framework supports. Each type lists the extra - ## :bro:id:`Rule` argument(s) it uses, if any. + ## :bro:type:`NetControl::Rule` fields it uses, if any. ## ## Plugins may extend this type to define their own. type RuleType: enum { @@ -81,7 +80,7 @@ export { REDIRECT, ## Whitelists all packets of an entity, meaning no restrictions will be applied. - ## While whitelisting is the default if no rule matches an this can type can be + ## While whitelisting is the default if no rule matches, this type can be ## used to override lower-priority rules that would otherwise take effect for the ## entity. WHITELIST, @@ -92,7 +91,7 @@ export { src_h: addr &optional; ##< The source IP address. src_p: count &optional; ##< The source port number. dst_h: addr &optional; ##< The destination IP address. - dst_p: count &optional; ##< The desintation port number. + dst_p: count &optional; ##< The destination port number. src_m: string &optional; ##< The source MAC address. dst_m: string &optional; ##< The destination MAC address. redirect_port: count &optional; @@ -121,8 +120,8 @@ export { ## That being said - their design makes sense and this is probably the data one ## can expect to be available. type FlowInfo: record { - duration: interval &optional; ##< total duration of the rule - packet_count: count &optional; ##< number of packets exchanged over connections matched by the rule - byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule + duration: interval &optional; ##< Total duration of the rule. + packet_count: count &optional; ##< Number of packets exchanged over connections matched by the rule. + byte_count: count &optional; ##< Total bytes exchanged over connections matched by the rule. }; } From 462eaefc43f8fb7f655209c6640f2f84e60c7e6f Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 9 Nov 2016 14:16:42 -0600 Subject: [PATCH 083/288] Fix some warnings seen while building the docs Removed references in the docs to a few identifiers that aren't defined in any Bro scripts. --- scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/init-bare.bro | 3 +-- src/analyzer/protocol/smb/smb2_com_set_info.bif | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 6741147834..7cd8ead0c5 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -79,7 +79,7 @@ export { ## Information passed into rotation callback functions. type RotationInfo: record { - writer: Writer; ##< The :bro:type:`Log::Writer` being used. + writer: Writer; ##< The log writer being used. fname: string; ##< Full name of the rotated file. path: string; ##< Original path value. open: time; ##< Time when opened. diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f84157716f..5a5732de4a 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2556,7 +2556,6 @@ export { ## smb1_echo_response smb1_negotiate_request ## smb1_negotiate_response smb1_nt_cancel_request ## smb1_nt_create_andx_request smb1_nt_create_andx_response - ## smb1_open_andx_request smb1_open_andx_response ## smb1_query_information_request smb1_read_andx_request ## smb1_read_andx_response smb1_session_setup_andx_request ## smb1_session_setup_andx_response smb1_transaction_request @@ -2844,7 +2843,7 @@ export { ## smb2_create_request smb2_create_response smb2_negotiate_request ## smb2_negotiate_response smb2_read_request ## smb2_session_setup_request smb2_session_setup_response - ## smb2_set_info_request smb2_file_rename smb2_file_delete + ## smb2_file_rename smb2_file_delete ## smb2_tree_connect_request smb2_tree_connect_response ## smb2_write_request type SMB2::Header: record { diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 6fd232ed7d..3aeeb579fe 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -11,7 +11,7 @@ ## ## dst_filename: The filename to rename the file into. ## -## .. bro:see:: smb2_message smb2_set_info_request smb2_file_delete +## .. bro:see:: smb2_message smb2_file_delete event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -26,7 +26,7 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. ## -## .. bro:see:: smb2_message smb2_set_info_request smb2_file_rename +## .. bro:see:: smb2_message smb2_file_rename event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); # TODO - Not implemented From aa8d200e80ce8a6e9cd62efb11c8d9c853fcb7cd Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 9 Nov 2016 14:29:03 -0600 Subject: [PATCH 084/288] Fix various typos in the openflow framework docs --- scripts/base/frameworks/openflow/README | 2 +- scripts/base/frameworks/openflow/consts.bro | 20 +++++----- scripts/base/frameworks/openflow/main.bro | 36 ++++++++--------- .../frameworks/openflow/plugins/broker.bro | 6 +-- .../base/frameworks/openflow/plugins/log.bro | 12 +++--- .../base/frameworks/openflow/plugins/ryu.bro | 4 +- scripts/base/frameworks/openflow/types.bro | 40 +++++++++---------- 7 files changed, 60 insertions(+), 60 deletions(-) diff --git a/scripts/base/frameworks/openflow/README b/scripts/base/frameworks/openflow/README index 87fbc8b3cb..df20b60181 100644 --- a/scripts/base/frameworks/openflow/README +++ b/scripts/base/frameworks/openflow/README @@ -1,2 +1,2 @@ -The OpenFlow framework exposes the datastructures and functions +The OpenFlow framework exposes the data structures and functions necessary to interface to OpenFlow capable hardware. diff --git a/scripts/base/frameworks/openflow/consts.bro b/scripts/base/frameworks/openflow/consts.bro index ca956702a7..3564137701 100644 --- a/scripts/base/frameworks/openflow/consts.bro +++ b/scripts/base/frameworks/openflow/consts.bro @@ -1,7 +1,7 @@ ##! Constants used by the OpenFlow framework. # All types/constants not specific to OpenFlow will be defined here -# unitl they somehow get into Bro. +# until they somehow get into Bro. module OpenFlow; @@ -122,9 +122,9 @@ export { ## Return value for a cookie from a flow ## which is not added, modified or deleted - ## from the bro openflow framework + ## from the bro openflow framework. const INVALID_COOKIE = 0xffffffffffffffff; - # Openflow pysical port definitions + # Openflow physical port definitions ## Send the packet out the input port. This ## virual port must be explicitly used in ## order to send back out of the input port. @@ -135,10 +135,10 @@ export { const OFPP_TABLE = 0xfffffff9; ## Process with normal L2/L3 switching. const OFPP_NORMAL = 0xfffffffa; - ## All pysical ports except input port and + ## All physical ports except input port and ## those disabled by STP. const OFPP_FLOOD = 0xfffffffb; - ## All pysical ports except input port. + ## All physical ports except input port. const OFPP_ALL = 0xfffffffc; ## Send to controller. const OFPP_CONTROLLER = 0xfffffffd; @@ -162,7 +162,7 @@ export { # flow stats and flow deletes. const OFPTT_ALL = 0xff; - ## Openflow action_type definitions + ## Openflow action_type definitions. ## ## The openflow action type defines ## what actions openflow can take @@ -180,7 +180,7 @@ export { OFPAT_SET_DL_SRC = 0x0004, ## Ethernet destination address. OFPAT_SET_DL_DST = 0x0005, - ## IP source address + ## IP source address. OFPAT_SET_NW_SRC = 0x0006, ## IP destination address. OFPAT_SET_NW_DST = 0x0007, @@ -192,11 +192,11 @@ export { OFPAT_SET_TP_DST = 0x000a, ## Output to queue. OFPAT_ENQUEUE = 0x000b, - ## Vendor specific + ## Vendor specific. OFPAT_VENDOR = 0xffff, }; - ## Openflow flow_mod_command definitions + ## Openflow flow_mod_command definitions. ## ## The openflow flow_mod_command describes ## of what kind an action is. @@ -213,7 +213,7 @@ export { OFPFC_DELETE_STRICT = 0x4, }; - ## Openflow config flag definitions + ## Openflow config flag definitions. ## ## TODO: describe type ofp_config_flags: enum { diff --git a/scripts/base/frameworks/openflow/main.bro b/scripts/base/frameworks/openflow/main.bro index 889929c641..5740e90056 100644 --- a/scripts/base/frameworks/openflow/main.bro +++ b/scripts/base/frameworks/openflow/main.bro @@ -1,11 +1,11 @@ -##! Bro's OpenFlow control framework +##! Bro's OpenFlow control framework. ##! ##! This plugin-based framework allows to control OpenFlow capable ##! switches by implementing communication to an OpenFlow controller ##! via plugins. The framework has to be instantiated via the new function ##! in one of the plugins. This framework only offers very low-level ##! functionality; if you want to use OpenFlow capable switches, e.g., -##! for shunting, please look at the PACF framework, which provides higher +##! for shunting, please look at the NetControl framework, which provides higher ##! level functions and can use the OpenFlow framework as a backend. module OpenFlow; @@ -16,7 +16,7 @@ module OpenFlow; export { ## Global flow_mod function. ## - ## controller: The controller which should execute the flow modification + ## controller: The controller which should execute the flow modification. ## ## match: The ofp_match record which describes the flow to match. ## @@ -27,7 +27,7 @@ export { ## Clear the current flow table of the controller. ## - ## controller: The controller which should execute the flow modification + ## controller: The controller which should execute the flow modification. ## ## Returns: F on error or if the plugin does not support the operation, T when the operation was queued. global flow_clear: function(controller: Controller): bool; @@ -66,21 +66,21 @@ export { ## ## priority: The priority that was specified when creating the flow. ## - ## reason: The reason for flow removal (OFPRR_*) + ## reason: The reason for flow removal (OFPRR_*). ## - ## duration_sec: duration of the flow in seconds + ## duration_sec: Duration of the flow in seconds. ## - ## packet_count: packet count of the flow + ## packet_count: Packet count of the flow. ## - ## byte_count: byte count of the flow + ## byte_count: Byte count of the flow. global flow_removed: event(name: string, match: ofp_match, cookie: count, priority: count, reason: count, duration_sec: count, idle_timeout: count, packet_count: count, byte_count: count); ## Convert a conn_id record into an ofp_match record that can be used to ## create match objects for OpenFlow. ## - ## id: the conn_id record that describes the record. + ## id: The conn_id record that describes the record. ## - ## reverse: reverse the sources and destinations when creating the match record (default F) + ## reverse: Reverse the sources and destinations when creating the match record (default F). ## ## Returns: ofp_match object for the conn_id record. global match_conn: function(id: conn_id, reverse: bool &default=F): ofp_match; @@ -113,18 +113,18 @@ export { ## Function to register a controller instance. This function ## is called automatically by the plugin _new functions. ## - ## tpe: type of this plugin + ## tpe: Type of this plugin. ## - ## name: unique name of this controller instance. + ## name: Unique name of this controller instance. ## - ## controller: The controller to register + ## controller: The controller to register. global register_controller: function(tpe: OpenFlow::Plugin, name: string, controller: Controller); ## Function to unregister a controller instance. This function ## should be called when a specific controller should no longer ## be used. ## - ## controller: The controller to unregister + ## controller: The controller to unregister. global unregister_controller: function(controller: Controller); ## Function to signal that a controller finished activation and is @@ -134,16 +134,16 @@ export { ## Event that is raised once a controller finishes initialization ## and is completely activated. - ## name: unique name of this controller instance. + ## name: Unique name of this controller instance. ## ## controller: The controller that finished activation. global OpenFlow::controller_activated: event(name: string, controller: Controller); - ## Function to lookup a controller instance by name + ## Function to lookup a controller instance by name. ## - ## name: unique name of the controller to look up + ## name: Unique name of the controller to look up. ## - ## Returns: one element vector with controller, if found. Empty vector otherwhise. + ## Returns: One element vector with controller, if found. Empty vector otherwise. global lookup_controller: function(name: string): vector of Controller; } diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.bro index a67b941e08..fee2dc573d 100644 --- a/scripts/base/frameworks/openflow/plugins/broker.bro +++ b/scripts/base/frameworks/openflow/plugins/broker.bro @@ -18,11 +18,11 @@ export { ## ## host_port: Controller listen port. ## - ## topic: broker topic to send messages to. + ## topic: Broker topic to send messages to. ## ## dpid: OpenFlow switch datapath id. ## - ## Returns: OpenFlow::Controller record + ## Returns: OpenFlow::Controller record. global broker_new: function(name: string, host: addr, host_port: port, topic: string, dpid: count): OpenFlow::Controller; redef record ControllerState += { @@ -32,7 +32,7 @@ export { broker_port: port &optional; ## OpenFlow switch datapath id. broker_dpid: count &optional; - ## Topic to sent events for this controller to + ## Topic to send events for this controller to. broker_topic: string &optional; }; diff --git a/scripts/base/frameworks/openflow/plugins/log.bro b/scripts/base/frameworks/openflow/plugins/log.bro index 18aa0c1584..2fd961cd4f 100644 --- a/scripts/base/frameworks/openflow/plugins/log.bro +++ b/scripts/base/frameworks/openflow/plugins/log.bro @@ -19,25 +19,25 @@ export { ## ## success_event: If true, flow_mod_success is raised for each logged line. ## - ## Returns: OpenFlow::Controller record + ## Returns: OpenFlow::Controller record. global log_new: function(dpid: count, success_event: bool &default=T): OpenFlow::Controller; redef record ControllerState += { ## OpenFlow switch datapath id. log_dpid: count &optional; - ## Raise or do not raise success event + ## Raise or do not raise success event. log_success_event: bool &optional; }; ## The record type which contains column fields of the OpenFlow log. type Info: record { - ## Network time + ## Network time. ts: time &log; - ## OpenFlow switch datapath id + ## OpenFlow switch datapath id. dpid: count &log; - ## OpenFlow match fields + ## OpenFlow match fields. match: ofp_match &log; - ## OpenFlow modify flow entry message + ## OpenFlow modify flow entry message. flow_mod: ofp_flow_mod &log; }; diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.bro index 69d51adc9b..f022fe0f03 100644 --- a/scripts/base/frameworks/openflow/plugins/ryu.bro +++ b/scripts/base/frameworks/openflow/plugins/ryu.bro @@ -20,7 +20,7 @@ export { ## ## dpid: OpenFlow switch datapath id. ## - ## Returns: OpenFlow::Controller record + ## Returns: OpenFlow::Controller record. global ryu_new: function(host: addr, host_port: count, dpid: count): OpenFlow::Controller; redef record ControllerState += { @@ -30,7 +30,7 @@ export { ryu_port: count &optional; ## OpenFlow switch datapath id. ryu_dpid: count &optional; - ## Enable debug mode - output JSON to stdout; do not perform actions + ## Enable debug mode - output JSON to stdout; do not perform actions. ryu_debug: bool &default=F; }; } diff --git a/scripts/base/frameworks/openflow/types.bro b/scripts/base/frameworks/openflow/types.bro index f527cd51a7..ef57b25e2e 100644 --- a/scripts/base/frameworks/openflow/types.bro +++ b/scripts/base/frameworks/openflow/types.bro @@ -5,9 +5,9 @@ module OpenFlow; @load ./consts export { - ## Available openflow plugins + ## Available openflow plugins. type Plugin: enum { - ## Internal placeholder plugin + ## Internal placeholder plugin. INVALID, }; @@ -19,7 +19,7 @@ export { _plugin: Plugin &optional; ## Internally set to the unique name of the controller. _name: string &optional; - ## Internally set to true once the controller is activated + ## Internally set to true once the controller is activated. _activated: bool &default=F; } &redef; @@ -58,29 +58,29 @@ export { } &log; ## The actions that can be taken in a flow. - ## (Sepearate record to make ofp_flow_mod less crowded) + ## (Separate record to make ofp_flow_mod less crowded) type ofp_flow_action: record { ## Output ports to send data to. out_ports: vector of count &default=vector(); - ## set vlan vid to this value + ## Set vlan vid to this value. vlan_vid: count &optional; - ## set vlan priority to this value + ## Set vlan priority to this value. vlan_pcp: count &optional; - ## strip vlan tag + ## Strip vlan tag. vlan_strip: bool &default=F; - ## set ethernet source address + ## Set ethernet source address. dl_src: string &optional; - ## set ethernet destination address + ## Set ethernet destination address. dl_dst: string &optional; - ## set ip tos to this value + ## Set ip tos to this value. nw_tos: count &optional; - ## set source to this ip + ## Set source to this ip. nw_src: addr &optional; - ## set destination to this ip + ## Set destination to this ip. nw_dst: addr &optional; - ## set tcp/udp source port + ## Set tcp/udp source port. tp_src: count &optional; - ## set tcp/udp destination port + ## Set tcp/udp destination port. tp_dst: count &optional; } &log; @@ -112,21 +112,21 @@ export { actions: ofp_flow_action &default=ofp_flow_action(); } &log; - ## Controller record representing an openflow controller + ## Controller record representing an openflow controller. type Controller: record { ## Controller related state. state: ControllerState; ## Does the controller support the flow_removed event? supports_flow_removed: bool; - ## function that describes the controller. Has to be implemented. + ## Function that describes the controller. Has to be implemented. describe: function(state: ControllerState): string; - ## one-time initialization function. If defined, controller_init_done has to be called once initialization finishes. + ## One-time initialization function. If defined, controller_init_done has to be called once initialization finishes. init: function (state: ControllerState) &optional; - ## one-time destruction function + ## One-time destruction function. destroy: function (state: ControllerState) &optional; - ## flow_mod function + ## flow_mod function. flow_mod: function(state: ControllerState, match: ofp_match, flow_mod: ofp_flow_mod): bool &optional; - ## flow_clear function + ## flow_clear function. flow_clear: function(state: ControllerState): bool &optional; }; } From 0db028ea9103786a2082bd7d7816fc0daa47c0f1 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 9 Nov 2016 14:35:12 -0600 Subject: [PATCH 085/288] Update the quickstart guide for the deploy command Also removed some redundant info about setting up a broctl cron job, which is already explained in detail in the broctl documentation. --- doc/configuration/index.rst | 21 +++---------------- doc/quickstart/index.rst | 41 +++++++++++++++---------------------- 2 files changed, 20 insertions(+), 42 deletions(-) diff --git a/doc/configuration/index.rst b/doc/configuration/index.rst index fa49c3736e..508b3c1449 100644 --- a/doc/configuration/index.rst +++ b/doc/configuration/index.rst @@ -105,24 +105,9 @@ a Bro cluster (do this as the Bro user on the manager host only): > broctl install -- Some tasks need to be run on a regular basis. On the manager node, - insert a line like this into the crontab of the user running the - cluster:: - - 0-59/5 * * * * /bin/broctl cron - - (Note: if you are editing the system crontab instead of a user's own - crontab, then you need to also specify the user which the command - will be run as. The username must be placed after the time fields - and before the broctl command.) - - Note that on some systems (FreeBSD in particular), the default PATH - for cron jobs does not include the directories where bash and python - are installed (the symptoms of this problem would be that "broctl cron" - works when run directly by the user, but does not work from a cron job). - To solve this problem, you would either need to create symlinks - to bash and python in a directory that is in the default PATH for - cron jobs, or specify a new PATH in the crontab. +- See the :doc:`BroControl <../components/broctl/README>` documentation + for information on setting up a cron job on the manager host that can + monitor the cluster. PF_RING Cluster Configuration diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst index ba9896e19d..811fad53e1 100644 --- a/doc/quickstart/index.rst +++ b/doc/quickstart/index.rst @@ -78,15 +78,6 @@ You can leave it running for now, but to stop this Bro instance you would do: [BroControl] > stop -We also recommend to insert the following entry into the crontab of the user -running BroControl:: - - 0-59/5 * * * * $PREFIX/bin/broctl cron - -This will perform a number of regular housekeeping tasks, including -verifying that the process is still running (and restarting if not in -case of any abnormal termination). - Browsing Log Files ------------------ @@ -232,23 +223,25 @@ That's exactly what we want to do for the first notice. Add to ``local.bro``: inside the module. Then go into the BroControl shell to check whether the configuration change -is valid before installing it and then restarting the Bro instance: +is valid before installing it and then restarting the Bro instance. The +"deploy" command does all of this automatically: .. console:: - [BroControl] > check - bro scripts are ok. - [BroControl] > install - removing old policies in /usr/local/bro/spool/policy/site ... done. - removing old policies in /usr/local/bro/spool/policy/auto ... done. - creating policy directories ... done. - installing site policies ... done. - generating standalone-layout.bro ... done. - generating local-networks.bro ... done. - generating broctl-config.bro ... done. - updating nodes ... done. - [BroControl] > restart + [BroControl] > deploy + checking configurations ... + installing ... + removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ... + removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ... + creating policy directories ... + installing site policies ... + generating standalone-layout.bro ... + generating local-networks.bro ... + generating broctl-config.bro ... + generating broctl-config.sh ... + stopping ... stopping bro ... + starting ... starting bro ... Now that the SSL notice is ignored, let's look at how to send an email @@ -281,8 +274,8 @@ connection field is in the set of watched servers. order to avoid ambiguity with the built-in address type's use of '.' in IPv4 dotted decimal representations. -Remember, to finalize that configuration change perform the ``check``, -``install``, ``restart`` commands in that order inside the BroControl shell. +Remember, to finalize that configuration change perform the ``deploy`` +command inside the BroControl shell. Next Steps ---------- From 2347be3092a6a8b39fc1549b50f92fd6c4b1224b Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 9 Nov 2016 14:55:55 -0600 Subject: [PATCH 086/288] Improve the "How to Upgrade" page in the Bro docs Added some text to clarify the procedure (it now reads more like a step-by-step guide to upgrading). --- doc/install/guidelines.rst | 53 ++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/doc/install/guidelines.rst b/doc/install/guidelines.rst index a56110f865..096c95fb9e 100644 --- a/doc/install/guidelines.rst +++ b/doc/install/guidelines.rst @@ -10,40 +10,53 @@ there's two suggested approaches: either install Bro using the same installation prefix directory as before, or pick a new prefix and copy local customizations over. -Regardless of which approach you choose, if you are using BroControl, then -before doing the upgrade you should stop all running Bro processes with the -"broctl stop" command. After the upgrade is complete then you will need -to run "broctl deploy". - In the following we summarize general guidelines for upgrading, see the :ref:`release-notes` for version-specific information. Reusing Previous Install Prefix -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you choose to configure and install Bro with the same prefix -directory as before, local customization and configuration to files in -``$prefix/share/bro/site`` and ``$prefix/etc`` won't be overwritten -(``$prefix`` indicating the root of where Bro was installed). Also, logs -generated at run-time won't be touched by the upgrade. Backing up local -changes before upgrading is still recommended. +directory as before, first stop all running Bro instances in your +cluster (if using BroControl, issue the "broctl stop" command on the +manager host). Next, make a backup of the Bro install prefix directory. -After upgrading, remember to check ``$prefix/share/bro/site`` and -``$prefix/etc`` for ``.example`` files, which indicate that the -distribution's version of the file differs from the local one, and therefore, -may include local changes. Review the differences and make adjustments -as necessary. Use the new version for differences that aren't a result of -a local change. +During the upgrade, any file in the install prefix may be +overwritten or removed, except for local customization of +files in the ``$prefix/share/bro/site`` and ``$prefix/etc`` +directories (``$prefix`` indicating the root +of where Bro was installed). Also, logs generated at run-time +won't be touched by the upgrade. + +After upgrading, remember to check the ``$prefix/share/bro/site`` and +``$prefix/etc`` directories for files with a file extension of ``.example``, +which indicate that the distribution's version of the file differs from the +local one, and therefore, may include local changes. Review the +differences and make adjustments as necessary. Use the new version +for differences that aren't a result of a local change. + +Finally, if using BroControl, then issue the "broctl deploy" command. This +command will check for any policy script errors, install the new version +of Bro to all machines in your cluster, and then it will start Bro. Using a New Install Prefix ~~~~~~~~~~~~~~~~~~~~~~~~~~ To install the newer version in a different prefix directory than before, -copy local customization and configuration files from ``$prefix/share/bro/site`` -and ``$prefix/etc`` to the new location (``$prefix`` indicating the root of -where Bro was originally installed). Review the files for differences +first stop all running Bro instances in your cluster (if using BroControl, +then issue a "broctl stop" command on the manager host). Next, +install the new version of Bro in a new directory. + +Next, copy local customization and configuration files +from the ``$prefix/share/bro/site`` and ``$prefix/etc`` directories to the +new location (``$prefix`` indicating the root of where Bro was originally +installed). Review the files for differences before copying and make adjustments as necessary (use the new version for differences that aren't a result of a local change). Of particular note, the copied version of ``$prefix/etc/broctl.cfg`` is likely to need changes to any settings that specify a pathname. + +Finally, if using BroControl, then issue the "broctl deploy" command. This +command will check for any policy script errors, install the new version +of Bro to all machines in your cluster, and then it will start Bro. From 5745213326f9b88316e6c70e4393a9c7a706e7a9 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 11 Nov 2016 14:08:17 -0600 Subject: [PATCH 087/288] Fix minor typos in documentation of various scripts --- scripts/base/frameworks/intel/cluster.bro | 4 +-- scripts/base/frameworks/intel/files.bro | 2 +- scripts/base/frameworks/intel/main.bro | 7 ++-- scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/frameworks/netcontrol/plugin.bro | 2 +- scripts/base/protocols/dce-rpc/main.bro | 6 ++-- scripts/base/protocols/http/entities.bro | 4 +-- scripts/base/protocols/rfb/main.bro | 4 +-- scripts/base/protocols/smb/consts.bro | 8 ++--- scripts/base/protocols/ssl/consts.bro | 6 ++-- scripts/base/protocols/ssl/files.bro | 8 ++--- scripts/base/protocols/ssl/main.bro | 6 ++-- scripts/policy/frameworks/intel/do_notice.bro | 2 +- scripts/policy/misc/stats.bro | 2 +- scripts/policy/protocols/smb/main.bro | 32 +++++++++---------- scripts/policy/protocols/smb/smb1-main.bro | 2 +- scripts/policy/protocols/smb/smb2-main.bro | 2 +- scripts/policy/protocols/ssl/heartbleed.bro | 2 +- 18 files changed, 51 insertions(+), 50 deletions(-) diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro index 0727fb6746..820a5497a2 100644 --- a/scripts/base/frameworks/intel/cluster.bro +++ b/scripts/base/frameworks/intel/cluster.bro @@ -12,7 +12,7 @@ redef record Item += { first_dispatch: bool &default=T; }; -# If this process is not a manager process, we don't want the full metadata +# If this process is not a manager process, we don't want the full metadata. @if ( Cluster::local_node_type() != Cluster::MANAGER ) redef have_full_data = F; @endif @@ -20,7 +20,7 @@ redef have_full_data = F; # Internal event for cluster data distribution. global cluster_new_item: event(item: Item); -# Primary intelligence management is done by the manager: +# Primary intelligence management is done by the manager. # The manager informs the workers about new items and item removal. redef Cluster::manager2worker_events += /^Intel::(cluster_new_item|purge_item)$/; # A worker queries the manager to insert, remove or indicate the match of an item. diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.bro index 454f63352c..74fd156520 100644 --- a/scripts/base/frameworks/intel/files.bro +++ b/scripts/base/frameworks/intel/files.bro @@ -1,5 +1,5 @@ ##! File analysis framework integration for the intelligence framework. This -##! script manages file information in intelligence framework datastructures. +##! script manages file information in intelligence framework data structures. @load ./main diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index a9128d62f2..aa51af5ee0 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -1,6 +1,7 @@ -##! The intelligence framework provides a way to store and query intelligence data -##! (e.g. IP addresses, URLs and hashes). The intelligence items can be associated -##! with metadata to allow informed decisions about matching and handling. +##! The intelligence framework provides a way to store and query intelligence +##! data (e.g. IP addresses, URLs and hashes). The intelligence items can be +##! associated with metadata to allow informed decisions about matching and +##! handling. @load base/frameworks/notice diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 7cd8ead0c5..3f1a0de4dc 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -131,7 +131,7 @@ export { ## Default log extension function in the case that you would like to ## apply the same extensions to all logs. The function *must* return ## a record with all of the fields to be included in the log. The - ## default function included here does not return a value to indicate + ## default function included here does not return a value, which indicates ## that no extensions are added. const Log::default_ext_func: function(path: string): any = function(path: string) { } &redef; diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.bro index c4825095fb..2b432e7597 100644 --- a/scripts/base/frameworks/netcontrol/plugin.bro +++ b/scripts/base/frameworks/netcontrol/plugin.bro @@ -18,7 +18,7 @@ export { ## Set internally. _priority: int &default=+0; - ## Set internally. Signifies if the plugin has returned that it has activated succesfully. + ## Set internally. Signifies if the plugin has returned that it has activated successfully. _activated: bool &default=F; }; diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index 0ee908d13e..8fb5aa4285 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -26,8 +26,8 @@ export { operation : string &log &optional; }; - ## These are DCE-RPC operations that are ignored, typically due - ## the operations being noisy and low valueon most networks. + ## These are DCE-RPC operations that are ignored, typically due to + ## the operations being noisy and low value on most networks. const ignored_operations: table[string] of set[string] = { ["winreg"] = set("BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "BaseRegQueryValue", "BaseRegDeleteKeyEx", "OpenLocalMachine", "BaseRegEnumKey", "OpenClassesRoot"), ["spoolss"] = set("RpcSplOpenPrinter", "RpcClosePrinter"), @@ -158,7 +158,7 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) { if ( c?$dce_rpc ) { - # If there is noendpoint, there isn't much reason to log. + # If there is no endpoint, there isn't much reason to log. # This can happen if the request isn't seen. if ( ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) && ( c$dce_rpc$endpoint !in ignored_operations diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro index d44147d2fc..bec89b536d 100644 --- a/scripts/base/protocols/http/entities.bro +++ b/scripts/base/protocols/http/entities.bro @@ -17,7 +17,7 @@ export { ## An ordered vector of file unique IDs. orig_fuids: vector of string &log &optional; - ## An order vector of filenames from the client. + ## An ordered vector of filenames from the client. orig_filenames: vector of string &log &optional; ## An ordered vector of mime types. @@ -26,7 +26,7 @@ export { ## An ordered vector of file unique IDs. resp_fuids: vector of string &log &optional; - ## An order vector of filenames from the server. + ## An ordered vector of filenames from the server. resp_filenames: vector of string &log &optional; ## An ordered vector of mime types. diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.bro index 3bcb86890b..ff05063538 100644 --- a/scripts/base/protocols/rfb/main.bro +++ b/scripts/base/protocols/rfb/main.bro @@ -18,12 +18,12 @@ export { client_minor_version: string &log &optional; ## Major version of the server. server_major_version: string &log &optional; - ## Major version of the client. + ## Minor version of the server. server_minor_version: string &log &optional; ## Identifier of authentication method used. authentication_method: string &log &optional; - ## Whether or not authentication was succesful. + ## Whether or not authentication was successful. auth: bool &log &optional; ## Whether the client has an exclusive or a shared session. diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.bro index b74b75fb37..862a0ae693 100644 --- a/scripts/base/protocols/smb/consts.bro +++ b/scripts/base/protocols/smb/consts.bro @@ -24,13 +24,13 @@ export { "MsFteWds", }; - ## The UUIDs used by the various RPC endpoints + ## The UUIDs used by the various RPC endpoints. const rpc_uuids: table[string] of string = { ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "Server Service", ["6bffd098-a112-3610-9833-46c3f87e345a"] = "Workstation Service", } &redef &default=function(i: string):string { return fmt("unknown-uuid-%s", i); }; - ## Server service sub commands + ## Server service sub commands. const srv_cmds: table[count] of string = { [8] = "NetrConnectionEnum", [9] = "NetrFileEnum", @@ -81,7 +81,7 @@ export { [57] = "NetrShareDelEx", } &redef &default=function(i: count):string { return fmt("unknown-srv-command-%d", i); }; - ## Workstation service sub commands + ## Workstation service sub commands. const wksta_cmds: table[count] of string = { [0] = "NetrWkstaGetInfo", [1] = "NetrWkstaSetInfo", @@ -108,7 +108,7 @@ export { type rpc_cmd_table: table[count] of string; - ## The subcommands for RPC endpoints + ## The subcommands for RPC endpoints. const rpc_sub_cmds: table[string] of rpc_cmd_table = { ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = srv_cmds, ["6bffd098-a112-3610-9833-46c3f87e345a"] = wksta_cmds, diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index d3def45513..6af08c13d0 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -30,7 +30,7 @@ export { return fmt("unknown-%d", i); }; - ## TLS content types: + # TLS content types: const CHANGE_CIPHER_SPEC = 20; const ALERT = 21; const HANDSHAKE = 22; @@ -41,7 +41,7 @@ export { const V2_CLIENT_MASTER_KEY = 302; const V2_SERVER_HELLO = 304; - ## TLS Handshake types: + # TLS Handshake types: const HELLO_REQUEST = 0; const CLIENT_HELLO = 1; const SERVER_HELLO = 2; @@ -215,7 +215,7 @@ export { [0xFF02] = "arbitrary_explicit_char2_curves" } &default=function(i: count):string { return fmt("unknown-%d", i); }; - ## Mapping between numeric codes and human readable string for SSL/TLC EC point formats. + ## Mapping between numeric codes and human readable string for SSL/TLS EC point formats. # See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9 const ec_point_formats: table[count] of string = { [0] = "uncompressed", diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index 90273639e5..fad0fa0483 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -11,7 +11,7 @@ export { ## complete signing chain. cert_chain: vector of Files::Info &optional; - ## An ordered vector of all certicate file unique IDs for the + ## An ordered vector of all certificate file unique IDs for the ## certificates offered by the server. cert_chain_fuids: vector of string &optional &log; @@ -19,7 +19,7 @@ export { ## complete signing chain. client_cert_chain: vector of Files::Info &optional; - ## An ordered vector of all certicate file unique IDs for the + ## An ordered vector of all certificate file unique IDs for the ## certificates offered by the client. client_cert_chain_fuids: vector of string &optional &log; @@ -116,8 +116,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori } Files::add_analyzer(f, Files::ANALYZER_X509); - # always calculate hashes. They are not necessary for base scripts - # but very useful for identification, and required for policy scripts + # Always calculate hashes. They are not necessary for base scripts + # but very useful for identification, and required for policy scripts. Files::add_analyzer(f, Files::ANALYZER_MD5); Files::add_analyzer(f, Files::ANALYZER_SHA1); } diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index a973ec3b71..858fa343bb 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -44,10 +44,10 @@ export { ## is being resumed. It's not logged. client_key_exchange_seen: bool &default=F; ## Count to track if the server already sent an application data - ## packet fot TLS 1.3. Used to track when a session was established. + ## packet for TLS 1.3. Used to track when a session was established. server_appdata: count &default=0; ## Flag to track if the client already sent an application data - ## packet fot TLS 1.3. Used to track when a session was established. + ## packet for TLS 1.3. Used to track when a session was established. client_appdata: bool &default=F; ## Last alert that was seen during the connection. @@ -62,7 +62,7 @@ export { analyzer_id: count &optional; ## Flag to indicate if this ssl session has been established - ## succesfully, or if it was aborted during the handshake. + ## successfully, or if it was aborted during the handshake. established: bool &log &default=F; ## Flag to indicate if this record already has been logged, to diff --git a/scripts/policy/frameworks/intel/do_notice.bro b/scripts/policy/frameworks/intel/do_notice.bro index fc75a8efee..094b5aeb5e 100644 --- a/scripts/policy/frameworks/intel/do_notice.bro +++ b/scripts/policy/frameworks/intel/do_notice.bro @@ -7,7 +7,7 @@ module Intel; export { redef enum Notice::Type += { - ## Intel::Notice is a notice that happens when an intelligence + ## This notice is generated when an intelligence ## indicator is denoted to be notice-worthy. Intel::Notice }; diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro index 4dee0d4128..c307ece849 100644 --- a/scripts/policy/misc/stats.bro +++ b/scripts/policy/misc/stats.bro @@ -74,7 +74,7 @@ export { reassem_file_size: count &log; ## Current size of packet fragment data in reassembly. reassem_frag_size: count &log; - ## Current size of unkown data in reassembly (this is only PIA buffer right now). + ## Current size of unknown data in reassembly (this is only PIA buffer right now). reassem_unknown_size: count &log; }; diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro index 61a2548f6c..f3185a89bb 100644 --- a/scripts/policy/protocols/smb/main.bro +++ b/scripts/policy/protocols/smb/main.bro @@ -64,7 +64,7 @@ export { name : string &log &optional; ## Total size of the file. size : count &log &default=0; - ## If the rename action was seen, this will + ## If the rename action was seen, this will be ## the file's previous name. prev_name : string &log &optional; ## Last time this file was modified. @@ -82,7 +82,7 @@ export { ## Name of the tree path. path : string &log &optional; - ## The type of resource of the tree (disk share, printer share, named pipe, etc.) + ## The type of resource of the tree (disk share, printer share, named pipe, etc.). service : string &log &optional; ## File system of the tree. native_file_system : string &log &optional; @@ -93,34 +93,34 @@ export { ## This record is for the smb_cmd.log type CmdInfo: record { - ## Timestamp of the command request + ## Timestamp of the command request. ts : time &log; - ## Unique ID of the connection the request was sent over + ## Unique ID of the connection the request was sent over. uid : string &log; - ## ID of the connection the request was sent over + ## ID of the connection the request was sent over. id : conn_id &log; - ## The command sent by the client + ## The command sent by the client. command : string &log; - ## The subcommand sent by the client, if present + ## The subcommand sent by the client, if present. sub_command : string &log &optional; - ## Command argument sent by the client, if any + ## Command argument sent by the client, if any. argument : string &log &optional; - ## Server reply to the client's command + ## Server reply to the client's command. status : string &log &optional; ## Round trip time from the request to the response. rtt : interval &log &optional; - ## Version of SMB for the command + ## Version of SMB for the command. version : string &log; - ## Authenticated username, if available + ## Authenticated username, if available. username : string &log &optional; ## If this is related to a tree, this is the tree ## that was used for the current command. tree : string &log &optional; - ## The type of tree (disk share, printer share, named pipe, etc.) + ## The type of tree (disk share, printer share, named pipe, etc.). tree_service : string &log &optional; ## If the command referenced a file, store it here. @@ -166,8 +166,8 @@ export { smb_state : State &optional; }; - ## Internal use only - ## Some commands shouldn't be logged by the smb1_message event + ## Internal use only. + ## Some commands shouldn't be logged by the smb1_message event. const deferred_logging_cmds: set[string] = { "NEGOTIATE", "READ_ANDX", @@ -186,7 +186,7 @@ redef record FileInfo += { ## ID referencing this file. fid : count &optional; - ## UUID referencing this file if DCE/RPC + ## UUID referencing this file if DCE/RPC. uuid : string &optional; }; @@ -264,4 +264,4 @@ event file_state_remove(f: fa_file) &priority=-5 } return; } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro index 3e7f43cf45..853d83b01f 100644 --- a/scripts/policy/protocols/smb/smb1-main.bro +++ b/scripts/policy/protocols/smb/smb1-main.bro @@ -3,7 +3,7 @@ module SMB1; redef record SMB::CmdInfo += { - ## Dialects offered by the client + ## Dialects offered by the client. smb1_offered_dialects: string_vec &optional; }; diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 726851dee4..1dc3a10654 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -3,7 +3,7 @@ module SMB2; redef record SMB::CmdInfo += { - ## Dialects offered by the client + ## Dialects offered by the client. smb2_offered_dialects: index_vec &optional; }; diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro index 77a5e9832a..783961bef2 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.bro @@ -13,7 +13,7 @@ export { SSL_Heartbeat_Attack_Success, ## Indicates we saw heartbeat requests with odd length. Probably an attack or scan. SSL_Heartbeat_Odd_Length, - ## Indicates we saw many heartbeat requests without an reply. Might be an attack. + ## Indicates we saw many heartbeat requests without a reply. Might be an attack. SSL_Heartbeat_Many_Requests }; } From 615659056642d293ccb1abeadece40df1c0a3826 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 11 Nov 2016 15:41:25 -0600 Subject: [PATCH 088/288] Remove unused "bindist" make target The "pkg" subdirectory was removed in commit 19d66be0. --- Makefile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 3efddc4dbc..74e8c3aa3e 100644 --- a/Makefile +++ b/Makefile @@ -42,10 +42,6 @@ dist: @$(HAVE_MODULES) && find $(VERSION_MIN) -name .git\* | xargs rm -rf || exit 0 @$(HAVE_MODULES) && tar -czf $(VERSION_MIN).tgz $(VERSION_MIN) && echo Package: $(VERSION_MIN).tgz && rm -rf $(VERSION_MIN) || exit 0 -bindist: - @( cd pkg && ( ./make-deb-packages || ./make-mac-packages || \ - ./make-rpm-packages ) ) - distclean: rm -rf $(BUILD) $(MAKE) -C testing $@ @@ -65,4 +61,4 @@ configured: @test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 ) @test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 ) -.PHONY : all install clean doc docclean dist bindist distclean configured +.PHONY : all install clean doc docclean dist distclean configured From 67160338ba3a3ae60cb4cbceb97580edbf703bd7 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 11 Nov 2016 16:03:28 -0600 Subject: [PATCH 089/288] Update NEWS Fixed minor typos and formatting, and added new info. --- NEWS | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index c4aeb6133a..342c47b246 100644 --- a/NEWS +++ b/NEWS @@ -31,17 +31,18 @@ New Functionality transferred over SMB can be analyzed. - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC analyzer. - - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, and dce_rpc.log + - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, + and dce_rpc.log - Not every possible SMB command or functionality is implemented, but generally, file handling should work whenever files are transferred. Please speak up on the mailing list if there is an obvious oversight. - Bro now includes the NetControl framework. The framework allows for easy interaction of Bro with hard- and software switches, firewalls, etc. - New log files: net_control.log, netcontrol_catch_release.log, + New log files: netcontrol.log, netcontrol_catch_release.log, netcontrol_drop.log, and netcontrol_shunt.log. -- Bro now includes the OpenFlow framework which exposes the datastructures +- Bro now includes the OpenFlow framework which exposes the data structures necessary to interface to OpenFlow capable hardware. - Bro's Intelligence Framework was refactored and new functionality @@ -89,8 +90,8 @@ New Functionality groups in TLS 1.3. - The new event ssl_application_data gives information about application data - that is exchanged before encryption fully starts. This is used to detect when - encryption starts in TLS 1.3. + that is exchanged before encryption fully starts. This is used to detect + when encryption starts in TLS 1.3. - Bro now tracks VLAN IDs. To record them inside the connection log, load protocols/conn/vlan-logging.bro. @@ -320,6 +321,10 @@ Changed Functionality the crash report includes instructions on how to get backtraces included in future crash reports. + - There is a new option SitePolicyScripts that replaces SitePolicyStandalone + (the old option is still available, but will be removed in the next + release). + Removed Functionality --------------------- From 475682ba7fa5a02cb8a33123f1794be2cd4be43d Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 14 Nov 2016 09:48:33 -0600 Subject: [PATCH 090/288] Fix minor typos in documentation Some of these fixes are for broken links in the auto-generated docs. --- scripts/base/frameworks/broker/main.bro | 1 + scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/init-bare.bro | 6 ++--- .../policy/protocols/conn/vlan-logging.bro | 2 +- src/bro.bif | 22 +++++++++---------- 5 files changed, 17 insertions(+), 16 deletions(-) diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro index 0818855d8f..835a9ed796 100644 --- a/scripts/base/frameworks/broker/main.bro +++ b/scripts/base/frameworks/broker/main.bro @@ -14,6 +14,7 @@ module Broker; export { ## A name used to identify this endpoint to peers. + ## ## .. bro:see:: Broker::connect Broker::listen const endpoint_name = "" &redef; diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 3f1a0de4dc..998a0e0f6c 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -348,7 +348,7 @@ export { ## to handle, or one of the stream's filters has an invalid ## ``path_func``. ## - ## .. bro:see: Log::enable_stream Log::disable_stream + ## .. bro:see:: Log::enable_stream Log::disable_stream global write: function(id: ID, columns: any) : bool; ## Sets the buffering status for all the writers of a given logging stream. diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 5a5732de4a..d170d17d80 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1129,7 +1129,7 @@ const CONTENTS_BOTH = 3; ##< Record both originator and responder contents. # Values for code of ICMP *unreachable* messages. The list is not exhaustive. # todo:: these should go into an enum to make them autodoc'able # -# .. bro:see:: :bro:see:`icmp_unreachable ` +# .. bro:see:: icmp_unreachable const ICMP_UNREACH_NET = 0; ##< Network unreachable. const ICMP_UNREACH_HOST = 1; ##< Host unreachable. const ICMP_UNREACH_PROTOCOL = 2; ##< Protocol unreachable. @@ -2540,7 +2540,7 @@ export { ## only comes into play as a heuristic to identify named ## pipes when the drive mapping wasn't seen by Bro. ## - ## .. bro:see::smb_pipe_connect_heuristic + ## .. bro:see:: smb_pipe_connect_heuristic const SMB::pipe_filenames: set[string] &redef; } @@ -3098,7 +3098,7 @@ type dns_edns_additional: record { ## An additional DNS TSIG record. ## -## bro:see:: dns_TSIG_addl +## .. bro:see:: dns_TSIG_addl type dns_tsig_additional: record { query: string; ##< Query. qtype: count; ##< Query type. diff --git a/scripts/policy/protocols/conn/vlan-logging.bro b/scripts/policy/protocols/conn/vlan-logging.bro index e0692c5ab5..bf5400dae7 100644 --- a/scripts/policy/protocols/conn/vlan-logging.bro +++ b/scripts/policy/protocols/conn/vlan-logging.bro @@ -1,4 +1,4 @@ -##! This script add VLAN information to the connection logs +##! This script adds VLAN information to the connection log. @load base/protocols/conn diff --git a/src/bro.bif b/src/bro.bif index b23a673634..e086bb8ae9 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1029,7 +1029,7 @@ function clear_table%(v: any%): any return 0; %} -## Gets all subnets that contain a given subnet from a set/table[subnet] +## Gets all subnets that contain a given subnet from a set/table[subnet]. ## ## search: the subnet to search for. ## @@ -1047,8 +1047,8 @@ function matching_subnets%(search: subnet, t: any%): subnet_vec return t->AsTableVal()->LookupSubnets(search); %} -## For a set[subnet]/table[subnet], create a new table that contains all entries that -## contain a given subnet. +## For a set[subnet]/table[subnet], create a new table that contains all entries +## that contain a given subnet. ## ## search: the subnet to search for. ## @@ -1067,7 +1067,7 @@ function filter_subnet_table%(search: subnet, t: any%): any %} ## Checks if a specific subnet is a member of a set/table[subnet]. -## In difference to the ``in`` operator, this performs an exact match, not +## In contrast to the ``in`` operator, this performs an exact match, not ## a longest prefix match. ## ## search: the subnet to search for. @@ -1994,7 +1994,7 @@ function is_v6_addr%(a: addr%): bool ## ## s: the subnet to check. ## -## Returns: true if *a* is an IPv4 subnet, else false. +## Returns: true if *s* is an IPv4 subnet, else false. function is_v4_subnet%(s: subnet%): bool %{ if ( s->AsSubNet().Prefix().GetFamily() == IPv4 ) @@ -2007,7 +2007,7 @@ function is_v4_subnet%(s: subnet%): bool ## ## s: the subnet to check. ## -## Returns: true if *a* is an IPv6 subnet, else false. +## Returns: true if *s* is an IPv6 subnet, else false. function is_v6_subnet%(s: subnet%): bool %{ if ( s->AsSubNet().Prefix().GetFamily() == IPv6 ) @@ -2311,7 +2311,7 @@ function to_subnet%(sn: string%): subnet ## ## a: The address to convert. ## -## Returns: The *a* address as a :bro:type:`subnet`. +## Returns: The address as a :bro:type:`subnet`. ## ## .. bro:see:: to_subnet function addr_to_subnet%(a: addr%): subnet @@ -2320,12 +2320,12 @@ function addr_to_subnet%(a: addr%): subnet return new SubNetVal(a->AsAddr(), width); %} -## Converts a :bro:type:`subnet` to a :bro:type:`addr` by +## Converts a :bro:type:`subnet` to an :bro:type:`addr` by ## extracting the prefix. ## -## s: The subnet to convert. +## sn: The subnet to convert. ## -## Returns: The *s* subnet as a :bro:type:`addr`. +## Returns: The subnet as an :bro:type:`addr`. ## ## .. bro:see:: to_subnet function subnet_to_addr%(sn: subnet%): addr @@ -2335,7 +2335,7 @@ function subnet_to_addr%(sn: subnet%): addr ## Returns the width of a :bro:type:`subnet`. ## -## s: The subnet to convert. +## sn: The subnet. ## ## Returns: The width of the subnet. ## From 15a825eb2dd49db9a2c0e64f314ba5a140b0c0ca Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 14 Nov 2016 14:44:58 -0600 Subject: [PATCH 091/288] Fixed some warnings seen while running "make doc" Moved the definitions of DCE_RPC::BackingState and DCE_RPC::State types into the export block. These types are used in the redef of the "connection" record. --- scripts/base/protocols/dce-rpc/main.bro | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index 8fb5aa4285..3b028131f3 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -33,22 +33,22 @@ export { ["spoolss"] = set("RpcSplOpenPrinter", "RpcClosePrinter"), ["wkssvc"] = set("NetrWkstaGetInfo"), } &redef; + + type State: record { + uuid : string &optional; + named_pipe : string &optional; + }; + + # This is to store the log and state information + # for multiple DCE/RPC bindings over a single TCP connection (named pipes). + type BackingState: record { + info: Info; + state: State; + }; } redef DPD::ignore_violations += { Analyzer::ANALYZER_DCE_RPC }; -type State: record { - uuid : string &optional; - named_pipe : string &optional; -}; - -# This is to store the log and state information -# for multiple DCE/RPC bindings over a single TCP connection (named pipes). -type BackingState: record { - info: Info; - state: State; -}; - redef record connection += { dce_rpc: Info &optional; dce_rpc_state: State &optional; From 2f40034c65cde8302996536bc8e0d16fecd8c774 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 14 Nov 2016 14:54:13 -0600 Subject: [PATCH 092/288] Correct one statement in NEWS --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 342c47b246..9aa1e35c7c 100644 --- a/NEWS +++ b/NEWS @@ -120,7 +120,7 @@ New Functionality - matching_subnets(subnet, table) returns all subnets of the set or table that contain the given subnet. - - filter_subnet_table(subnet, table) works like check_subnet, but returns + - filter_subnet_table(subnet, table) works like matching_subnets, but returns a table containing all matching entries. - Several built-in functions for handling IP addresses and subnets were added: From 53d05fb24f2391f9546e41c0dd32e4f1a13a773b Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 14 Nov 2016 14:59:19 -0600 Subject: [PATCH 093/288] Update a test baseline The number of lines in scripts/base/frameworks/intel/main.bro changed recently. --- .../scripts.base.frameworks.intel.remove-non-existing/output | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index 7b4e5003c4..9cb4a7c9ff 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -6,6 +6,6 @@ #open 2016-09-20-22-35-58 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 506-507 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 507-508 0.000000 Reporter::INFO received termination signal (empty) #close 2016-09-20-22-35-59 From a848b8785b9f082a7650ae8f0e81dc289afad4d6 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 14 Nov 2016 17:54:54 -0800 Subject: [PATCH 094/288] Updating submodule(s). [nomail] --- aux/bro-aux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/bro-aux b/aux/bro-aux index 93b7a8712f..7660b5f4c5 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 93b7a8712f2d7f3a4b53f0009a461b6377222c7e +Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93 From e9b0639ccb72a9a4da0e5cd3cb7a09a66e431e3c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 14 Nov 2016 17:59:19 -0800 Subject: [PATCH 095/288] Adding missing '@load ./pubkey-hashes' to policy/frameworks/intel/seen. --- CHANGES | 5 +++++ VERSION | 2 +- scripts/policy/frameworks/intel/seen/__load__.bro | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 2ac78f35fe..7ded95e7eb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.5-beta2-17 | 2016-11-14 17:59:19 -0800 + + * Add missing '@load ./pubkey-hashes' to + policy/frameworks/intel/seen. (Robin Sommer) + 2.5-beta2-15 | 2016-11-14 17:52:55 -0800 * Remove unused "bindist" make target. (Daniel Thayer) diff --git a/VERSION b/VERSION index e379bb6716..9398323293 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-beta2-15 +2.5-beta2-17 diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.bro index 807bf0fcb2..d364e8c587 100644 --- a/scripts/policy/frameworks/intel/seen/__load__.bro +++ b/scripts/policy/frameworks/intel/seen/__load__.bro @@ -4,6 +4,7 @@ @load ./file-names @load ./http-headers @load ./http-url +@load ./pubkey-hashes @load ./ssl @load ./smtp @load ./smtp-url-extraction From a984a30fd04f641c67aeecf6231ae342426e4f68 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 15 Nov 2016 13:23:34 -0800 Subject: [PATCH 096/288] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index c6720dc1ab..591372db92 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit c6720dc1ab66b9e0630a337a5b562bb0eb30f2be +Subproject commit 591372db9256392f9c33d174f20c9ab85264c34f From c1da7b4840455b3d5479d21ee192599d8c6d8bd1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 15 Nov 2016 13:24:08 -0800 Subject: [PATCH 097/288] Updating submodule(s). [nomail] --- CHANGES | 4 ++++ VERSION | 2 +- aux/broctl | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 7ded95e7eb..7b875ccc54 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-beta2-19 | 2016-11-15 13:24:08 -0800 + + * Updating submodule(s). + 2.5-beta2-17 | 2016-11-14 17:59:19 -0800 * Add missing '@load ./pubkey-hashes' to diff --git a/VERSION b/VERSION index 9398323293..b12533059e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-beta2-17 +2.5-beta2-19 diff --git a/aux/broctl b/aux/broctl index 591372db92..b2084d6409 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 591372db9256392f9c33d174f20c9ab85264c34f +Subproject commit b2084d64090e9cb481d01747ba06e3f3d6e90424 From 0bfd6424ab9f3ccfede19a9d3e81e61909925bc9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 15 Nov 2016 13:25:25 -0800 Subject: [PATCH 098/288] Updating submodule(s). [nomail] --- CHANGES | 4 ++-- VERSION | 2 +- aux/broctl | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 7b875ccc54..7557c8494d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,7 @@ -2.5-beta2-19 | 2016-11-15 13:24:08 -0800 +2.5 | 2016-11-15 13:25:25 -0800 - * Updating submodule(s). + * Release 2.5. 2.5-beta2-17 | 2016-11-14 17:59:19 -0800 diff --git a/VERSION b/VERSION index b12533059e..95e3ba8192 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-beta2-19 +2.5 diff --git a/aux/broctl b/aux/broctl index b2084d6409..7fdb16a244 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit b2084d64090e9cb481d01747ba06e3f3d6e90424 +Subproject commit 7fdb16a2442ef55b7a21b84a6a10ff0195d5e1bf From 7b44974a58181df657bd1edbe734e923d68b9ecc Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 16 Nov 2016 14:51:59 -0800 Subject: [PATCH 099/288] Updating submodule(s). [nomail] --- CHANGES | 2 +- aux/broctl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 7557c8494d..37e5b44863 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ -2.5 | 2016-11-15 13:25:25 -0800 +2.5 | 2016-11-16 14:51:59 -0800 * Release 2.5. diff --git a/aux/broctl b/aux/broctl index 7fdb16a244..66731334ce 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 7fdb16a2442ef55b7a21b84a6a10ff0195d5e1bf +Subproject commit 66731334ce99426689012f3fe2a3d376764004ee From 4b4ccabd703b8d5c8ee2b0a10bc83c9ab75df3a1 Mon Sep 17 00:00:00 2001 From: jamesecorrenti Date: Tue, 22 Nov 2016 16:41:56 -0500 Subject: [PATCH 100/288] Update krb-types.pac KerberosString formatting for principal name to be compliant with RFC 4120 section 5.2.2, which states that there can be a few components (and in practice we have seen 3, more than the 1 or 2 that is typical) --- src/analyzer/protocol/krb/krb-types.pac | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index 07418b3a71..0195f66acd 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -19,7 +19,9 @@ Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname) return bytestring_to_val(pname->data()[0][0]->encoding()->content()); if ( pname->data()->size() == 2 ) return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin())); - + if ( pname->data()->size() == 3 )  # if the name-string has a third value, this will just append it, else this will return unkown as the principal name + return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin())); + return new StringVal("unknown"); } From 5845737c0ca08f03d2d0a3c5fb2afaa535145872 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 29 Nov 2016 10:55:18 -0600 Subject: [PATCH 101/288] Fix a typo --- src/analyzer/protocol/krb/krb-types.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index 0195f66acd..e398d78b45 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -19,7 +19,7 @@ Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname) return bytestring_to_val(pname->data()[0][0]->encoding()->content()); if ( pname->data()->size() == 2 ) return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin())); - if ( pname->data()->size() == 3 )  # if the name-string has a third value, this will just append it, else this will return unkown as the principal name + if ( pname->data()->size() == 3 )  # if the name-string has a third value, this will just append it, else this will return unknown as the principal name return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin())); return new StringVal("unknown"); From e198fba2d9da034e4189f0ee17650193045ae25f Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 29 Nov 2016 13:40:11 -0600 Subject: [PATCH 102/288] Fix a build failure on OpenBSD The definition of a "struct pcap_pkthdr" on OpenBSD contains a member of type "struct bpf_timeval" instead of "struct timeval" used on other systems. Also, on OpenBSD the header netinet/if_ether.h does not #include net/if_arp.h as it does on other systems. --- src/Sessions.cc | 2 +- src/bro.bif | 2 +- src/iosource/Packet.cc | 5 +++-- src/iosource/Packet.h | 15 +++++++++++---- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index b60ab52ce6..9361b7cde2 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -761,7 +761,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt, uint32 caplen, len; caplen = len = inner->TotalLen(); - struct timeval ts; + pkt_timeval ts; int link_type; Layer3Proto l3_proto; diff --git a/src/bro.bif b/src/bro.bif index e086bb8ae9..e168016f5e 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3343,7 +3343,7 @@ function dump_packet%(pkt: pcap_packet, file_name: string%) : bool if ( addl_pkt_dumper ) { - struct timeval ts; + pkt_timeval ts; uint32 caplen, len, link_type; u_char *data; diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 6b3bbe40f3..91bba76ba6 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -9,13 +9,14 @@ extern "C" { #elif defined(HAVE_SYS_ETHERNET_H) #include #elif defined(HAVE_NETINET_IF_ETHER_H) +#include #include #elif defined(HAVE_NET_ETHERTYPES_H) #include #endif } -void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen, +void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32 arg_caplen, uint32 arg_len, const u_char *arg_data, int arg_copy, std::string arg_tag) { @@ -588,7 +589,7 @@ static iosource::PktDumper* dump = 0; Packet* Packet::Unserialize(UnserialInfo* info) { - struct timeval ts; + pkt_timeval ts; uint32 len, link_type; if ( ! (UNSERIALIZE((uint32 *)&ts.tv_sec) && diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 5414e2ca0e..ec29f39ff5 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -5,6 +5,13 @@ #include "IP.h" #include "NetVar.h" +#if defined(__OpenBSD__) +#include +typedef struct bpf_timeval pkt_timeval; +#else +typedef struct timeval pkt_timeval; +#endif + /** * The Layer 3 type of a packet, as determined by the parsing code in Packet. */ @@ -48,7 +55,7 @@ public: * @param tag A textual tag to associate with the packet for * differentiating the input streams. */ - Packet(int link_type, struct timeval *ts, uint32 caplen, + Packet(int link_type, pkt_timeval *ts, uint32 caplen, uint32 len, const u_char *data, int copy = false, std::string tag = std::string("")) : data(0), l2_src(0), l2_dst(0) @@ -61,7 +68,7 @@ public: */ Packet() : data(0), l2_src(0), l2_dst(0) { - struct timeval ts = {0, 0}; + pkt_timeval ts = {0, 0}; Init(0, &ts, 0, 0, 0); } @@ -96,7 +103,7 @@ public: * @param tag A textual tag to associate with the packet for * differentiating the input streams. */ - void Init(int link_type, struct timeval *ts, uint32 caplen, + void Init(int link_type, pkt_timeval *ts, uint32 caplen, uint32 len, const u_char *data, int copy = false, std::string tag = std::string("")); @@ -155,7 +162,7 @@ public: // These are passed in through the constructor. std::string tag; /// Used in serialization double time; /// Timestamp reconstituted as float - struct timeval ts; /// Capture timestamp + pkt_timeval ts; /// Capture timestamp const u_char* data; /// Packet data. uint32 len; /// Actual length on wire uint32 cap_len; /// Captured packet length From beaf491fa3f4afec5c345857510aa8587f1478e9 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 29 Nov 2016 12:41:15 -0800 Subject: [PATCH 103/288] Fix compile error in krb-types.pac. Introduced in 15f2b30c73d9fecb2f136fbc2de2c3cb0a97daeb --- src/analyzer/protocol/krb/krb-types.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index e398d78b45..a5b2eb1041 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -19,9 +19,9 @@ Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname) return bytestring_to_val(pname->data()[0][0]->encoding()->content()); if ( pname->data()->size() == 2 ) return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin())); - if ( pname->data()->size() == 3 )  # if the name-string has a third value, this will just append it, else this will return unknown as the principal name + if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin())); - + return new StringVal("unknown"); } From b39594408c11393e76ae6e71d713d50deef55ff4 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 30 Nov 2016 10:32:16 -0800 Subject: [PATCH 104/288] Update submodules [nomail] --- aux/binpac | 2 +- src/3rdparty | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/binpac b/aux/binpac index 0965c0453a..a0990e61ad 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 0965c0453aacec5b44d1a99016748998671cc1c2 +Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3 diff --git a/src/3rdparty b/src/3rdparty index a59b3ad696..5d03436d9d 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit a59b3ad696c389611c327dc1af1909682c5396f6 +Subproject commit 5d03436d9db8a6cbaee1f459d654f977ce722467 From 37a51b354ebd49ac58ec3d3ddafdd530a3db905b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 30 Nov 2016 13:17:09 -0800 Subject: [PATCH 105/288] Fix validation of OCSP replies inside of Bro. At one place in the code, we do not check the correct return code. This makes it possible for a reply to get a response of "good", when the ocsp reply is not actually signed by the responder in question. This also instructs ocsp verication to skip certificate chain validation, which we do ourselves earlier because the OCSP verify function cannot do it correctly (no way to pass timestamp). --- src/file_analysis/analyzer/x509/functions.bif | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index c977c746d4..ca23f77d28 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -338,8 +338,11 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c goto x509_ocsp_cleanup; } - out = OCSP_basic_verify(basic, NULL, ctx, 0); - if ( result < 1 ) + // We pass OCSP_NOVERIFY to let OCSP_basic_verify skip the chain verification. + // With that, it only verifies the signature of the basic response and we are responsible + // for the chain ourselves. We have to do that since we cannot get OCSP_basic_verify to use our timestamp. + out = OCSP_basic_verify(basic, NULL, ctx, OCSP_NOVERIFY); + if ( out < 1 ) { rval = x509_result_record(out, ERR_error_string(ERR_get_error(),NULL)); goto x509_ocsp_cleanup; From de1c13e3a380bf8b30ccecf1fc28fd4c8967952e Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 1 Dec 2016 16:35:54 -0600 Subject: [PATCH 106/288] Fix test core.pcap.dumper to work on OpenBSD The sdiff command on OpenBSD truncates the output at a different position than sdiff on other platforms. Simple fix is to use diff instead of sdiff. --- testing/btest/Baseline/core.pcap.dumper/output | 5 ++++- testing/btest/core/pcap/dumper.bro | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/testing/btest/Baseline/core.pcap.dumper/output b/testing/btest/Baseline/core.pcap.dumper/output index c32a9e1b5e..1fef85cb6f 100644 --- a/testing/btest/Baseline/core.pcap.dumper/output +++ b/testing/btest/Baseline/core.pcap.dumper/output @@ -1 +1,4 @@ -00000010 ff ff 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 | | 00000010 00 20 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 | +2c2 +< 00000010 ff ff 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 |...........Ns...| +--- +> 00000010 00 20 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 |. .........Ns...| diff --git a/testing/btest/core/pcap/dumper.bro b/testing/btest/core/pcap/dumper.bro index c8d03bc783..facb86a830 100644 --- a/testing/btest/core/pcap/dumper.bro +++ b/testing/btest/core/pcap/dumper.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro -r $TRACES/workshop_2011_browse.trace -w dump # @TEST-EXEC: hexdump -C $TRACES/workshop_2011_browse.trace >1 # @TEST-EXEC: hexdump -C dump >2 -# @TEST-EXEC: sdiff -s 1 2 | awk '{ gsub(/\t/, " "); print }' >output || true +# @TEST-EXEC: diff 1 2 >output || true # @TEST-EXEC: btest-diff output From 31e46d37f0c8ce5edb6949aa1337c926c41beb43 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 2 Dec 2016 13:17:30 -0600 Subject: [PATCH 107/288] Fix a build failure on OpenBSD The wordexp function doesn't exist in OpenBSD. Skipping this functionality only affects users who have bro installed in a directory in the PATH and the directory name as it appears in PATH starts with a tilde (e.g. "~/bin"). A simple workaround for affected users would be to change the PATH environment variable to not contain any tildes. --- src/broxygen/Manager.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc index 7e2a0067d5..32a0b7d924 100644 --- a/src/broxygen/Manager.cc +++ b/src/broxygen/Manager.cc @@ -6,7 +6,9 @@ #include #include +#if !defined(__OpenBSD__) #include +#endif using namespace broxygen; using namespace std; @@ -66,9 +68,11 @@ Manager::Manager(const string& arg_config, const string& bro_command) const char* env_path = getenv("PATH"); string path = env_path ? string(env_path) + ":." : "."; + string path_to_bro; + +#if !defined(__OpenBSD__) wordexp_t expanded_path; wordexp(path.c_str(), &expanded_path, WRDE_NOCMD); - string path_to_bro; if ( expanded_path.we_wordc == 1 ) path_to_bro = find_file(bro_command, expanded_path.we_wordv[0]); @@ -77,6 +81,9 @@ Manager::Manager(const string& arg_config, const string& bro_command) reporter->InternalWarning("odd expansion of path: %s\n", path.c_str()); path_to_bro = find_file(bro_command, path); } +#else + path_to_bro = find_file(bro_command, path); +#endif struct stat s; From f107336f2189297b9408727e08d076bd7f0113f4 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 2 Dec 2016 16:15:12 -0600 Subject: [PATCH 108/288] Fix compiler warnings on OpenBSD Needed to add an "#include" to get the declaration of "struct in_addr". --- src/patricia.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/patricia.c b/src/patricia.c index 5ec6e2a27c..9d18adf14c 100644 --- a/src/patricia.c +++ b/src/patricia.c @@ -64,6 +64,7 @@ static char copyright[] = #include /* sprintf, fprintf, stderr */ #include /* free, atol, calloc */ #include /* memcpy, strchr, strlen */ +#include /* for struct in_addr */ #include /* for inet_addr */ #include /* for u_short, etc. */ #include From 19d47ec6a9f864bd61d7d880f0bf282b920e1405 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 5 Dec 2016 15:54:21 -0800 Subject: [PATCH 109/288] Update submodule [nomail] --- aux/plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/plugins b/aux/plugins index 9e9ddaec5d..8761ca7cb0 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 9e9ddaec5db1c80d7f5b637d38515ca82b7eb737 +Subproject commit 8761ca7cb058c3a409eedb87b8b2fe166076405b From 9059af657944efa80113641ceb1748120ef3c3bc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 5 Dec 2016 16:17:54 -0800 Subject: [PATCH 110/288] Update submodule [nomail] --- aux/plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/plugins b/aux/plugins index 8761ca7cb0..0a2f021527 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 8761ca7cb058c3a409eedb87b8b2fe166076405b +Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530 From 0581364d86cdbbd0f84482aa1a3ff84da68de881 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 6 Dec 2016 10:46:29 -0600 Subject: [PATCH 111/288] Fix a failing test on OpenBSD Update a test due to the changes in commit e198fba2. --- testing/btest/plugins/pktsrc-plugin/src/Foo.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/plugins/pktsrc-plugin/src/Foo.cc b/testing/btest/plugins/pktsrc-plugin/src/Foo.cc index af752a20bf..b2b768b4ba 100644 --- a/testing/btest/plugins/pktsrc-plugin/src/Foo.cc +++ b/testing/btest/plugins/pktsrc-plugin/src/Foo.cc @@ -44,7 +44,7 @@ bool Foo::ExtractNextPacket(Packet* pkt) return false; } - struct timeval ts = { 1409193037, 0 }; + pkt_timeval ts = { 1409193037, 0 }; pkt->Init(props.link_type, &ts, packet.size(), packet.size(), (const u_char *)packet.c_str()); return true; From 85ddd3ca8bcacf8dbdd91dd60c2463951c03d03f Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 7 Dec 2016 16:42:44 -0600 Subject: [PATCH 112/288] Remove wordexp functionality from broxygen Broxygen no longer attempts to do tilde expansion of PATH components when trying to get the mtime of Bro (this involved removing the wordexp functionality, which doesn't exist on OpenBSD). In the very unlikely event that this causes problems for someone (this could occur by running "bro -X configfile" if bro is located in a PATH component which starts with a tilde, such as "~/bin"), the error message text has been improved so that a user knows the workaround for this (just run bro with a relative or absolute path). Broxygen also no longer attempts to get the mtime of the bro executable when bro wasn't invoked with the "-X" option. --- src/broxygen/Manager.cc | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc index 32a0b7d924..9e33e6919b 100644 --- a/src/broxygen/Manager.cc +++ b/src/broxygen/Manager.cc @@ -6,9 +6,6 @@ #include #include -#if !defined(__OpenBSD__) -#include -#endif using namespace broxygen; using namespace std; @@ -63,32 +60,23 @@ Manager::Manager(const string& arg_config, const string& bro_command) if ( getenv("BRO_DISABLE_BROXYGEN") ) disabled = true; - if ( disabled ) + // If running bro without the "-X" option, then we don't need bro_mtime. + if ( disabled || arg_config.empty() ) return; + // Find the absolute or relative path to bro by checking each PATH + // component and also the current directory (so that this works if + // bro_command is a relative path). const char* env_path = getenv("PATH"); string path = env_path ? string(env_path) + ":." : "."; - string path_to_bro; - -#if !defined(__OpenBSD__) - wordexp_t expanded_path; - wordexp(path.c_str(), &expanded_path, WRDE_NOCMD); - - if ( expanded_path.we_wordc == 1 ) - path_to_bro = find_file(bro_command, expanded_path.we_wordv[0]); - else - { - reporter->InternalWarning("odd expansion of path: %s\n", path.c_str()); - path_to_bro = find_file(bro_command, path); - } -#else - path_to_bro = find_file(bro_command, path); -#endif - + string path_to_bro = find_file(bro_command, path); struct stat s; + // One way that find_file() could fail is when bro is located in + // a PATH component that starts with a tilde (such as "~/bin"). A simple + // workaround is to just run bro with a relative or absolute path. if ( path_to_bro.empty() || stat(path_to_bro.c_str(), &s) < 0 ) - reporter->InternalError("Broxygen can't get mtime of bro binary %s: %s", + reporter->InternalError("Broxygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s", path_to_bro.c_str(), strerror(errno)); bro_mtime = s.st_mtime; From 8eddeed78f9e67c6f086bd8da70d7de290694457 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 7 Dec 2016 15:28:34 -0800 Subject: [PATCH 113/288] Allow access to global variables using GLOBAL:: namespace. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses BIT-1758. Patch was contributed by François Pennaneach . --- src/module_util.cc | 5 +++++ testing/btest/Baseline/language.no-module/out | 1 + testing/btest/language/no-module.bro | 1 + 3 files changed, 7 insertions(+) diff --git a/src/module_util.cc b/src/module_util.cc index d9aa1af645..d5817a7d7a 100644 --- a/src/module_util.cc +++ b/src/module_util.cc @@ -52,7 +52,12 @@ string make_full_var_name(const char* module_name, const char* var_name) { if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) || strstr(var_name, "::") ) + { + if ( streq(GLOBAL_MODULE_NAME, extract_module_name(var_name).c_str()) ) + return extract_var_name(var_name); + return string(var_name); + } string full_name = normalized_module_name(module_name); full_name += "::"; diff --git a/testing/btest/Baseline/language.no-module/out b/testing/btest/Baseline/language.no-module/out index 5b011543b5..e7a3607e96 100644 --- a/testing/btest/Baseline/language.no-module/out +++ b/testing/btest/Baseline/language.no-module/out @@ -1,4 +1,5 @@ function (PASS) global variable (PASS) +fully qualified global variable (PASS) const (PASS) event (PASS) diff --git a/testing/btest/language/no-module.bro b/testing/btest/language/no-module.bro index 24795df0fb..fff55d3854 100644 --- a/testing/btest/language/no-module.bro +++ b/testing/btest/language/no-module.bro @@ -27,6 +27,7 @@ event bro_init() { test_case( "function", T ); test_case( "global variable", num == 123 ); + test_case( "fully qualified global variable", GLOBAL::num == 123 ); # test for BIT-1758 : GLOBAL scope ID discovery bug test_case( "const", daysperyear == 365 ); event testevent( "foo" ); } From 04d41dce5cb116ad12ff27f80bd11a39544d1c49 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 8 Dec 2016 08:32:45 -0500 Subject: [PATCH 114/288] Tiny xlsx file signature fix. Thanks to Dan Caselden for noticing! --- scripts/base/frameworks/files/magic/msoffice.sig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/frameworks/files/magic/msoffice.sig b/scripts/base/frameworks/files/magic/msoffice.sig index 7ae866a088..1c979b62bd 100644 --- a/scripts/base/frameworks/files/magic/msoffice.sig +++ b/scripts/base/frameworks/files/magic/msoffice.sig @@ -18,7 +18,7 @@ signature file-docx { } signature file-xlsx { - file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\2f).*PK\x03\x04.{26}xl\x2f/ + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\x2f).*PK\x03\x04.{26}xl\x2f/ file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80 } From 86271f2bdfd9a349b52a2ebe83385bcdb1827fea Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sat, 24 Dec 2016 11:08:08 +0100 Subject: [PATCH 115/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 4a35dec3a9..f6d451520e 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 4a35dec3a9c04b976ce0cbd88be894e7ce81dca8 +Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66 From e3c7bcbb43c7bcab1dc10214862665a28bc03de9 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 12 Jan 2017 13:45:39 +0100 Subject: [PATCH 116/288] Add missing paths to SMM Log::create_streams calls --- scripts/policy/protocols/smb/main.bro | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro index f3185a89bb..f94db17f38 100644 --- a/scripts/policy/protocols/smb/main.bro +++ b/scripts/policy/protocols/smb/main.bro @@ -195,9 +195,9 @@ redef likely_server_ports += { ports }; event bro_init() &priority=5 { - Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo]); - Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo]); - Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo]); + Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]); + Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]); + Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports); } From e991189ffff09fd62f02a1b4c4b1f98fa2416d68 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 19 Jan 2017 12:49:27 -0800 Subject: [PATCH 117/288] Remove brocon event. It make the plugins/hooks test fail, because the number of the current year shows up in the Baseline. --- scripts/base/init-bare.bro | 8 -------- testing/btest/Baseline/plugins.hooks/output | 18 ++++++------------ 2 files changed, 6 insertions(+), 20 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d170d17d80..ffee527bb7 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4209,14 +4209,6 @@ const remote_trace_sync_peers = 0 &redef; ## consistency check. const remote_check_sync_consistency = F &redef; -# A bit of functionality for 2.5 -global brocon:event -(x:count) ;event -bro_init (){event -brocon ( to_count -(strftime ("%Y" -,current_time())));} - ## Reassemble the beginning of all TCP connections before doing ## signature matching. Enabling this provides more accurate matching at the ## expense of CPU cycles. diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index a71f864a5c..311d44de77 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1478107500.981885, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1478107500.981885, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -410,10 +410,8 @@ 0.000000 MetaHookPost CallFunction(reading_live_traffic, , ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, , ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(strftime, , (%Y, 1478107500.981565)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> -0.000000 MetaHookPost CallFunction(to_count, , (2016)) -> 0.000000 MetaHookPost DrainEvents() -> 0.000000 MetaHookPost LoadFile(../main) -> -1 0.000000 MetaHookPost LoadFile(../plugin) -> -1 @@ -970,7 +968,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1478107500.981885, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1100,7 +1098,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1478107500.981885, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1133,10 +1131,8 @@ 0.000000 MetaHookPre CallFunction(reading_live_traffic, , ()) 0.000000 MetaHookPre CallFunction(reading_traces, , ()) 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(strftime, , (%Y, 1478107500.981565)) 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -0.000000 MetaHookPre CallFunction(to_count, , (2016)) 0.000000 MetaHookPre DrainEvents() 0.000000 MetaHookPre LoadFile(../main) 0.000000 MetaHookPre LoadFile(../plugin) @@ -1692,7 +1688,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1478107500.981885, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1822,7 +1818,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1478107500.981885, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -1855,10 +1851,8 @@ 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction strftime(%Y, 1478107500.981565) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) -0.000000 | HookCallFunction to_count(2016) 0.000000 | HookDrainEvents 0.000000 | HookLoadFile ..<...>/bro 0.000000 | HookLoadFile .<...>/bro From 07b7f1d193bbdecef59fe149b9af3a17958b0fdf Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 19 Jan 2017 13:22:19 -0800 Subject: [PATCH 118/288] Add new TLS extension type (cached_info) --- scripts/base/protocols/ssl/consts.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 6af08c13d0..2f646de516 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -156,6 +156,7 @@ export { [22] = "encrypt_then_mac", [23] = "extended_master_secret", [24] = "token_binding", # temporary till 2017-03-06 - draft-ietf-tokbind-negotiation + [25] = "cached_info", [35] = "SessionTicket TLS", [40] = "key_share", # new for TLS 1.3; was used for extended_random before. State as of TLS 1.3 draft 16 [41] = "pre_shared_key", # new for 1.3, state of draft-16 From 9d2b69be42d3e0a3508c06476f3b2bd9338ddac8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 23 Jan 2017 20:02:25 -0800 Subject: [PATCH 119/288] Updating submodule. --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 9386124933..8f979b0bda 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 938612493358a42b48a4a61b9ab67f2342159936 +Subproject commit 8f979b0bda406e8ee1993444bff620945ed45a7d From f5f517a97f4c55638366972a3592ed3020728d8f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 24 Jan 2017 08:48:57 -0800 Subject: [PATCH 120/288] Updating submodule. --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 8f979b0bda..e831e32b94 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 8f979b0bda406e8ee1993444bff620945ed45a7d +Subproject commit e831e32b942342c626badb235af32c421eae269c From fdb19872b4987e125a0b64a722be47a71d12272a Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 24 Jan 2017 19:40:33 -0600 Subject: [PATCH 121/288] Update submodule. --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index e831e32b94..394640e5dc 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit e831e32b942342c626badb235af32c421eae269c +Subproject commit 394640e5dc266f84c4f0c26f234a9a6e8dc8de1c From 2d1f0071867357ccaa068c2ec394d61ec8e5f18f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 25 Jan 2017 01:16:46 -0500 Subject: [PATCH 122/288] Extend file extraction log. - New fields: extracted_cutoff and extracted_size. These fields will be null if the file isn't extracted. - Extended the extraction test to test the files log too. --- scripts/base/files/extract/main.bro | 14 ++++++++++++++ .../scripts.base.files.extract.limit/files.log | 10 ++++++++++ testing/btest/scripts/base/files/extract/limit.bro | 1 + 3 files changed, 25 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.files.extract.limit/files.log diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.bro index 7f68a8bcce..22207000bf 100644 --- a/scripts/base/files/extract/main.bro +++ b/scripts/base/files/extract/main.bro @@ -14,6 +14,13 @@ export { redef record Files::Info += { ## Local filename of extracted file. extracted: string &optional &log; + + ## Set to true if the file being extracted was cut off + ## so the whole file was not logged. + extracted_cutoff: bool &optional &log; + + ## The number of bytes extracted to disk. + extracted_size: count &optional &log; }; redef record Files::AnalyzerArgs += { @@ -58,9 +65,16 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs) f$info$extracted = args$extract_filename; args$extract_filename = build_path_compressed(prefix, args$extract_filename); + f$info$extracted_cutoff = F; mkdir(prefix); } +event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count) &priority=10 + { + f$info$extracted_cutoff = T; + f$info$extracted_size = limit; + } + event bro_init() &priority=10 { Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add); diff --git a/testing/btest/Baseline/scripts.base.files.extract.limit/files.log b/testing/btest/Baseline/scripts.base.files.extract.limit/files.log new file mode 100644 index 0000000000..f9ab216124 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.extract.limit/files.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2017-01-25-06-12-45 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid extracted extracted_cutoff extracted_size md5 sha1 sha256 +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string bool count string string string +1363628702.262149 FGy9Oo9JLY8SFxMJ2 141.142.192.162 141.142.228.5 ClEkJM2Vm5giqnMf4h FTP_DATA 0 EXTRACT text/plain - 0.001059 - F 16557 - 0 0 F - 2 T 6000 - - - +#close 2017-01-25-06-12-45 diff --git a/testing/btest/scripts/base/files/extract/limit.bro b/testing/btest/scripts/base/files/extract/limit.bro index 1ac5f20b6d..4deecd292d 100644 --- a/testing/btest/scripts/base/files/extract/limit.bro +++ b/testing/btest/scripts/base/files/extract/limit.bro @@ -4,6 +4,7 @@ # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=3000 efname=2 double_it=T # @TEST-EXEC: btest-diff extract_files/2 # @TEST-EXEC: btest-diff 2.out +# @TEST-EXEC: btest-diff files.log # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=7000 efname=3 unlimit_it=T # @TEST-EXEC: btest-diff extract_files/3 # @TEST-EXEC: btest-diff 3.out From 08bc5ccd42d4a31e011aee0d9479f4aa0e450e4f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 25 Jan 2017 02:06:35 -0500 Subject: [PATCH 123/288] Fixing tests --- .../core.tcp.large-file-reassembly/files.log | 12 +-- testing/btest/Baseline/plugins.hooks/output | 48 ++++----- testing/btest/Baseline/plugins.writer/output | 4 +- .../files.log | 10 +- .../files.log | 10 +- .../files.log | 10 +- .../scripts.base.protocols.smb.smb2/files.log | 10 +- .../all-events.log | 102 +++++++++--------- 8 files changed, 103 insertions(+), 103 deletions(-) diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log index a7b6c3b972..31087d58cc 100644 --- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log +++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path files -#open 2016-07-13-16-13-01 -#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted -#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 ClEkJM2Vm5giqnMf4h FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - - -1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 C4J4Th3PJpwUYZZ6gc FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - - -#close 2016-07-13-16-13-01 +#open 2017-01-25-07-03-11 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 ClEkJM2Vm5giqnMf4h FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - - - - +1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 C4J4Th3PJpwUYZZ6gc FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - - - - +#close 2017-01-25-07-03-11 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 311d44de77..9b22c34b71 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -150,7 +150,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> -0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> +0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -871,7 +871,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) -0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) +0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) @@ -968,7 +968,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1098,7 +1098,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1591,7 +1591,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() -0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}) +0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}) 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec) 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec}) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) @@ -1688,7 +1688,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1818,7 +1818,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1484859670.063441, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2045,10 +2045,10 @@ 1362692527.008509 | HookDrainEvents 1362692527.009512 MetaHookPost CallFunction(Files::__enable_reassembly, , (FakNcS1Jfe01uljb3)) -> 1362692527.009512 MetaHookPost CallFunction(Files::__set_reassembly_buffer, , (FakNcS1Jfe01uljb3, 524288)) -> -1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -> 1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=], 524288)) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::code_in_range, , (200, 100, 199)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -2091,10 +2091,10 @@ 1362692527.009512 MetaHookPost UpdateNetworkTime(1362692527.009512) -> 1362692527.009512 MetaHookPre CallFunction(Files::__enable_reassembly, , (FakNcS1Jfe01uljb3)) 1362692527.009512 MetaHookPre CallFunction(Files::__set_reassembly_buffer, , (FakNcS1Jfe01uljb3, 524288)) -1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) 1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=], 524288)) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288)) 1362692527.009512 MetaHookPre CallFunction(HTTP::code_in_range, , (200, 100, 199)) 1362692527.009512 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -2138,10 +2138,10 @@ 1362692527.009512 | HookUpdateNetworkTime 1362692527.009512 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3) 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288) -1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=]) 1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=], 524288) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288) 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -2198,9 +2198,9 @@ 1362692527.009775 MetaHookPost CallFunction(HTTP::code_in_range, , (200, 100, 199)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> -1362692527.009775 MetaHookPost CallFunction(Log::__write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) -> +1362692527.009775 MetaHookPost CallFunction(Log::__write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) -> 1362692527.009775 MetaHookPost CallFunction(Log::__write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> -1362692527.009775 MetaHookPost CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) -> +1362692527.009775 MetaHookPost CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) -> 1362692527.009775 MetaHookPost CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> 1362692527.009775 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> @@ -2223,9 +2223,9 @@ 1362692527.009775 MetaHookPre CallFunction(HTTP::code_in_range, , (200, 100, 199)) 1362692527.009775 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009775 MetaHookPre CallFunction(Log::__write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) +1362692527.009775 MetaHookPre CallFunction(Log::__write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) 1362692527.009775 MetaHookPre CallFunction(Log::__write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -1362692527.009775 MetaHookPre CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) +1362692527.009775 MetaHookPre CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) 1362692527.009775 MetaHookPre CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) 1362692527.009775 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) @@ -2249,9 +2249,9 @@ 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]) +1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]) 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) -1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]) +1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]) 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]) diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output index 0e8466831e..f17b55dad2 100644 --- a/testing/btest/Baseline/plugins.writer/output +++ b/testing/btest/Baseline/plugins.writer/output @@ -9,7 +9,7 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0) [conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0| [conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0| [conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0| -[files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|- +[files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|- [http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- [http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- [http] 1340213019.580162|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- @@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0) [http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- [http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- [http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[packet_filter] 1468426456.812140|bro|ip or not ip|T|T +[packet_filter] 1485327742.161604|bro|ip or not ip|T|T [socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log index 857ff5a422..8b98886c93 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2016-07-13-16-14-18 -#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted -#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - -#close 2016-07-13-16-14-18 +#open 2017-01-25-07-04-25 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - - - +#close 2017-01-25-07-04-25 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log index 4f2d661ae7..b692cadc38 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2016-07-13-16-14-18 -#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted -#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - -#close 2016-07-13-16-14-18 +#open 2017-01-25-07-04-39 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - - - +#close 2017-01-25-07-04-39 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log index 9902524a1f..98923eb2d1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2016-07-13-16-14-21 -#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted -#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5,EXTRACT,DATA_EVENT,SHA1,SHA256 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file -#close 2016-07-13-16-14-21 +#open 2017-01-25-07-04-52 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5,EXTRACT,DATA_EVENT,SHA1,SHA256 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file F - +#close 2017-01-25-07-04-52 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log index 9dc925e4dc..b18428a86e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2016-10-27-17-16-27 -#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted -#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - -#close 2016-10-27-17-16-27 +#open 2017-01-25-07-05-17 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - - +#close 2017-01-25-07-05-17 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 5353fb0ac4..22a652ac37 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -301,7 +301,7 @@ [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = T @@ -314,11 +314,11 @@ [2] is_orig: bool = T 1254722770.692743 file_sniff - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] 1254722770.692743 file_state_remove - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -345,7 +345,7 @@ [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = T @@ -358,11 +358,11 @@ [2] is_orig: bool = T 1254722770.692804 file_sniff - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] meta: fa_metadata = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]] 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=T, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=T, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -406,7 +406,7 @@ [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1254722770.692804 file_over_new_connection - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = T @@ -414,7 +414,7 @@ [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722771.494181 file_sniff - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a - Strip executable\x0d\x0a - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a compiler: -D__DEBUG__\x0d\x0a* Each project creates a _private.h file containing version\x0d\x0a information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a - Strip executable\x0d\x0a - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a compiler: -D__DEBUG__\x0d\x0a* Each project creates a _private.h file containing version\x0d\x0a information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] 1254722771.858334 mime_end_entity @@ -426,7 +426,7 @@ [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a - Strip executable\x0d\x0a - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a compiler: -D__DEBUG__\x0d\x0a* Each project creates a _private.h file containing version\x0d\x0a information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=T, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a - Strip executable\x0d\x0a - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a compiler: -D__DEBUG__\x0d\x0a* Each project creates a _private.h file containing version\x0d\x0a information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=T, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -694,7 +694,7 @@ [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1437831787.905375 file_over_new_connection - [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [2] is_orig: bool = T @@ -707,11 +707,11 @@ [2] is_orig: bool = T 1437831787.905375 file_sniff - [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] 1437831787.905375 file_state_remove - [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831787.905375 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -839,156 +839,156 @@ [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=, cert_chain_fuids=, client_cert_chain=, client_cert_chain_fuids=, subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_over_new_connection - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=, cert_chain_fuids=, client_cert_chain=, client_cert_chain_fuids=, subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=, cert_chain_fuids=, client_cert_chain=, client_cert_chain_fuids=, subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=, cert_chain_fuids=, client_cert_chain=, client_cert_chain_fuids=, subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [2] is_orig: bool = F 1437831799.764576 file_sniff - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] meta: fa_metadata = [mime_type=, mime_types=] 1437831799.764576 x509_certificate - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] cert_ref: opaque of x509 = [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE] 1437831799.764576 x509_ext_basic_constraints - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::BasicConstraints = [ca=F, path_len=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com] 1437831799.764576 x509_ext_subject_alternative_name - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=, email=, ip=, other_fields=F] 1437831799.764576 file_hash - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] kind: string = sha1 [2] hash: string = f5ccb1a724133607548b00d8eb402efca3076d58 1437831799.764576 file_state_remove - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_new - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_over_new_connection - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] - [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [2] is_orig: bool = F 1437831799.764576 file_sniff - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] meta: fa_metadata = [mime_type=, mime_types=] 1437831799.764576 x509_certificate - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] cert_ref: opaque of x509 = [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0] 1437831799.764576 x509_ext_basic_constraints - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::BasicConstraints = [ca=T, path_len=0] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a] 1437831799.764576 file_hash - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] kind: string = sha1 [2] hash: string = 8e8321ca08b08e3726fe1d82996884eeb5f0d655 1437831799.764576 file_state_remove - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg_type: count = 11 [3] length: count = 2507 1437831799.764576 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg_type: count = 14 [3] length: count = 0 1437831799.838196 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T [2] msg_type: count = 16 [3] length: count = 258 1437831799.838197 ssl_change_cipher_spec - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T 1437831800.045701 ssl_change_cipher_spec - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F 1437831800.045701 ssl_established - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 net_done [0] t: time = 1437831800.217854 @@ -1019,10 +1019,10 @@ [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_pending - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 bro_done 1437831800.217854 ChecksumOffloading::check From 46368b718cad5ac1e0df5394cd90bcb30f4cafdd Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 25 Jan 2017 13:05:35 -0800 Subject: [PATCH 124/288] Updating submodule. --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 394640e5dc..32e582514a 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 394640e5dc266f84c4f0c26f234a9a6e8dc8de1c +Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d From 3ce6a031d4419bf90308e0ddf4f1192bf6645031 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 28 Jan 2017 11:45:49 -0800 Subject: [PATCH 125/288] Fix file analyzer memory management. File analyzers got deleted immediately once the queue with the corresponding removal operation got drained. That however can happen while the analyzer is still doing stuff: the queue is drained whenever any the "special" file analysis events needing immediate attention has been executed. This fix now only schedules the analyzer for deletion at that time, but postpones the actual operation until file object itself is being destroyed. --- src/file_analysis/AnalyzerSet.cc | 5 ++++- src/file_analysis/File.cc | 8 ++++++++ src/file_analysis/File.h | 6 ++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index 1de1d230de..ed8b440e35 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -130,7 +130,10 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key) file_mgr->GetComponentName(tag).c_str()); a->Done(); - delete a; + + // We don't delete the analyze object right here because the remove + // operation may execute when that will still be accessed. + file->DoneWithAnalyzer(a); return true; } diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 3b674b3ef9..ee40c9185d 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -107,6 +107,9 @@ File::~File() DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str()); Unref(val); delete file_reassembler; + + for ( auto a : done_analyzers ) + delete a; } void File::UpdateLastActivityTime() @@ -478,6 +481,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) EndOfFile(); } +void File::DoneWithAnalyzer(Analyzer* analyzer) + { + done_analyzers.push_back(analyzer); + } + void File::DataIn(const u_char* data, uint64 len, uint64 offset) { analyzers.DrainModifications(); diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 6ad90e986b..ea88692e8d 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -119,6 +119,11 @@ public: */ bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args); + /** + * Signal that this analyzer can be deleted once it's safe to do so. + */ + void DoneWithAnalyzer(Analyzer* analyzer); + /** * Pass in non-sequential data and deliver to attached analyzers. * @param data pointer to start of a chunk of file data. @@ -287,6 +292,7 @@ protected: bool postpone_timeout; /**< Whether postponing timeout is requested. */ bool done; /**< If this object is about to be deleted. */ AnalyzerSet analyzers; /**< A set of attached file analyzers. */ + std::list done_analyzers; /**< Analyzers we're done with, remembered here until they be safely deleted. */ struct BOF_Buffer { BOF_Buffer() : full(false), size(0) {} From fead5f5d5eb296951da0b23ab1cbd3fab7a19e89 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 28 Jan 2017 12:07:42 -0800 Subject: [PATCH 126/288] Fix delay in disabling file analyzers. When a file analyzer signaled being done with data delivery, the analyzer would only be scheduled for removal at that poing, meaning it could still receive more data until that action actually took effect. Now we make sure to not send any more data to an analyzer. --- src/file_analysis/Analyzer.h | 22 ++++++++++++++++++++-- src/file_analysis/File.cc | 30 +++++++++++++++++++++++------- 2 files changed, 43 insertions(+), 9 deletions(-) diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index dcb8434a6f..dfe9c795a8 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -123,6 +123,21 @@ public: void SetGotStreamDelivery() { got_stream_delivery = true; } + /** + * Signals that the analyzer is to skip all further input + * processsing. This won't have an immediate effect internally, but + * the flag can be queried through Skipping(). + * + * @param do_skip If true, further processing will be skipped. + */ + void SetSkip(bool do_skip) { skip = do_skip; } + + /** + * Returns true if the analyzer has been told to skip processing all + * further input. + */ + bool Skipping() const { return skip; } + protected: /** @@ -136,7 +151,8 @@ protected: : tag(arg_tag), args(arg_args->Ref()->AsRecordVal()), file(arg_file), - got_stream_delivery(false) + got_stream_delivery(false), + skip(false) { id = ++id_counter; } @@ -154,7 +170,8 @@ protected: : tag(), args(arg_args->Ref()->AsRecordVal()), file(arg_file), - got_stream_delivery(false) + got_stream_delivery(false), + skip(false) { id = ++id_counter; } @@ -166,6 +183,7 @@ private: RecordVal* args; /**< \c AnalyzerArgs val gives tunable analyzer params. */ File* file; /**< The file to which the analyzer is attached. */ bool got_stream_delivery; + bool skip; static ID id_counter; }; diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index ee40c9185d..46e67f7cd8 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -394,9 +394,15 @@ void File::DeliverStream(const u_char* data, uint64 len) // Catch this analyzer up with the BOF buffer. for ( int i = 0; i < num_bof_chunks_behind; ++i ) { - if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), - bof_buffer.chunks[i]->Len()) ) - analyzers.QueueRemove(a->Tag(), a->Args()); + if ( ! a->Skipping() ) + { + if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), + bof_buffer.chunks[i]->Len()) ) + { + a->SetSkip(true); + analyzers.QueueRemove(a->Tag(), a->Args()); + } + } bytes_delivered += bof_buffer.chunks[i]->Len(); } @@ -406,8 +412,14 @@ void File::DeliverStream(const u_char* data, uint64 len) // Analyzer should be fully caught up to stream_offset now. } - if ( ! a->DeliverStream(data, len) ) - analyzers.QueueRemove(a->Tag(), a->Args()); + if ( ! a->Skipping() ) + { + if ( ! a->DeliverStream(data, len) ) + { + a->SetSkip(true); + analyzers.QueueRemove(a->Tag(), a->Args()); + } + } } stream_offset += len; @@ -471,9 +483,13 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) while ( (a = analyzers.NextEntry(c)) ) { DBG_LOG(DBG_FILE_ANALYSIS, "chunk delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str()); - if ( ! a->DeliverChunk(data, len, offset) ) + if ( ! a->Skipping() ) { - analyzers.QueueRemove(a->Tag(), a->Args()); + if ( ! a->DeliverChunk(data, len, offset) ) + { + a->SetSkip(true); + analyzers.QueueRemove(a->Tag(), a->Args()); + } } } From 832f6d34b4beb7548ef56a97b02f5f427da75f0c Mon Sep 17 00:00:00 2001 From: "John E. Rollinson" Date: Sun, 29 Jan 2017 09:39:12 +0900 Subject: [PATCH 127/288] Add ciphertext to ticket data structures --- scripts/base/init-bare.bro | 2 ++ src/analyzer/protocol/krb/krb-types.pac | 1 + 2 files changed, 3 insertions(+) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index ffee527bb7..b5bf5d298d 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3955,6 +3955,8 @@ export { service_name : string; ## Cipher the ticket was encrypted with cipher : count; + ## Cipher text of the ticket + ciphertext : string &optional; }; type KRB::Ticket_Vector: vector of KRB::Ticket; diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index a5b2eb1041..bb2bfba3e8 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -95,6 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket) rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content())); rv->Assign(2, GetStringFromPrincipalName(ticket->sname())); rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT)); + rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext())); return rv; } From 68e3f0d96ac404a2abdcc4f975b4d9ce088b0eca Mon Sep 17 00:00:00 2001 From: "John E. Rollinson" Date: Sun, 29 Jan 2017 09:39:40 +0900 Subject: [PATCH 128/288] Ensure TGS req does not stomp out AP data --- scripts/base/protocols/krb/main.bro | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index 13200a559e..fc6abc5bff 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -164,9 +164,16 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 return; local info: Info; - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + + if ( !c?$krb ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + else + info = c$krb; + info$request_type = "TGS"; info$service = msg$service_name; if ( msg?$from ) info$from = msg$from; From 7caf5071631ce69620c462826d99e367f0140354 Mon Sep 17 00:00:00 2001 From: "John E. Rollinson" Date: Sun, 29 Jan 2017 09:40:11 +0900 Subject: [PATCH 129/288] Add script to log ticket hashes in krb log --- .../policy/protocols/krb/ticket-logging.bro | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 scripts/policy/protocols/krb/ticket-logging.bro diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro new file mode 100644 index 0000000000..e254b6dc26 --- /dev/null +++ b/scripts/policy/protocols/krb/ticket-logging.bro @@ -0,0 +1,43 @@ +module KRB; + +redef record Info += { + ## Hash of ticket used to authorize request/transaction + auth_ticket: string &log &optional; + ## Hash of ticket returned by the KDC + new_ticket: string &log &optional; +}; + +event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) + { + if ( c?$krb && c$krb$logged ) + return; + + local info: Info; + + if ( !c?$krb ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + else + info = c$krb; + + info$request_type = "AP"; # Will be overwritten when request is a TGS + if ( ticket?$ciphertext ) + info$auth_ticket = md5_hash(ticket$ciphertext); + + c$krb = info; + } + +event krb_as_response(c: connection, msg: KDC_Response) + { + if ( msg$ticket?$ciphertext ) + c$krb$new_ticket = md5_hash(msg$ticket$ciphertext); + } + +event krb_tgs_response(c: connection, msg: KDC_Response) + { + if ( msg$ticket?$ciphertext ) + c$krb$new_ticket = md5_hash(msg$ticket$ciphertext); + } \ No newline at end of file From 7feaf4499f5fef5e465957c01f148ec12ead826a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 30 Jan 2017 15:13:56 -0800 Subject: [PATCH 130/288] Fix layer 2 connection flipping. If connection flipping occured in Sessions.cc code (invoked e.g. when the original SYN is missing), layer 2 flipping was not performed. This change switches to always use the connection flipping code in Conn.cc which performs the switch correctly. --- src/Sessions.cc | 19 +------------------ .../btest/Baseline/core.history-flip/conn.log | 10 +++++----- .../all-events.log | 8 ++++---- testing/btest/core/history-flip.bro | 2 ++ 4 files changed, 12 insertions(+), 27 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 9361b7cde2..e2a5fba489 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1212,28 +1212,11 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) ) return 0; - ConnID flip_id = *id; - - if ( flip ) - { - // Make a guess that we're seeing the tail half of - // an analyzable connection. - const IPAddr ta = flip_id.src_addr; - flip_id.src_addr = flip_id.dst_addr; - flip_id.dst_addr = ta; - - uint32 t = flip_id.src_port; - flip_id.src_port = flip_id.dst_port; - flip_id.dst_port = t; - - id = &flip_id; - } - Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation); conn->SetTransport(tproto); if ( flip ) - conn->AddHistory('^'); + conn->FlipRoles(); if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) ) { diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log index b04a28b1cb..4c22a6484b 100644 --- a/testing/btest/Baseline/core.history-flip/conn.log +++ b/testing/btest/Baseline/core.history-flip/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-17-58-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents -#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) -#close 2016-07-13-17-58-11 +#open 2017-01-30-23-13-15 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string +1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) 00:d0:03:3b:f4:00 00:b0:c2:86:ec:00 +#close 2017-01-30-23-13-15 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 22a652ac37..a42b891e6a 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -743,10 +743,10 @@ [5] cont_resp: bool = F 1437831798.533593 new_connection - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831798.533765 partial_connection - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831799.262632 new_connection [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] @@ -1013,10 +1013,10 @@ [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=, rcptto=, date=, from=, to=, cc=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[192.168.133.102, 192.168.133.100], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] 1437831800.217854 connection_pending - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_pending [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] diff --git a/testing/btest/core/history-flip.bro b/testing/btest/core/history-flip.bro index f34767eee8..e9769d99b5 100644 --- a/testing/btest/core/history-flip.bro +++ b/testing/btest/core/history-flip.bro @@ -1,2 +1,4 @@ # @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT # @TEST-EXEC: btest-diff conn.log + +@load policy/protocols/conn/mac-logging From 6487446f27a0a6eac552fed30aa32cbcb6910fec Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 31 Jan 2017 13:09:12 -0800 Subject: [PATCH 131/288] Change snaplen of test trace from 1,000,000 to 10,000 Recent versions of libpcap are unhappy with values bigger than 262,144 and will refuse reading the file. --- .../btest/Traces/tcp/retransmit-fast009.trace | Bin 2858 -> 2858 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/testing/btest/Traces/tcp/retransmit-fast009.trace b/testing/btest/Traces/tcp/retransmit-fast009.trace index 12cc1cd474a66a59bf67ee819a0518f56c4ff65d..b3dabf96545f06424a6520bdb414ff0cddd4a759 100644 GIT binary patch delta 28 dcmZ1_wn|L+%Hd55nHX3YU_d~fVWY4(Hvn!f1)%@{ delta 28 dcmZ1_wn|L+%Hd55nHX3YV8FqNf1|KCHvn*J1^WO1 From 16f20507fd258920be477ac282e2442610a3eef2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 31 Jan 2017 14:45:06 -0800 Subject: [PATCH 132/288] Cleaning up a couple of comments. --- src/file_analysis/AnalyzerSet.cc | 5 +++-- src/file_analysis/File.h | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index ed8b440e35..35968c9a02 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -131,8 +131,9 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key) a->Done(); - // We don't delete the analyze object right here because the remove - // operation may execute when that will still be accessed. + // We don't delete the analyzer object right here because the remove + // operation may execute at a time when it can still be accessed. + // Instead we let the file know to delete the analyzer later. file->DoneWithAnalyzer(a); return true; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index ea88692e8d..c799907a8f 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -292,7 +292,7 @@ protected: bool postpone_timeout; /**< Whether postponing timeout is requested. */ bool done; /**< If this object is about to be deleted. */ AnalyzerSet analyzers; /**< A set of attached file analyzers. */ - std::list done_analyzers; /**< Analyzers we're done with, remembered here until they be safely deleted. */ + std::list done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */ struct BOF_Buffer { BOF_Buffer() : full(false), size(0) {} From e21cca4ba85a72bc94be4ad1c9c1053e70e08f58 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 31 Jan 2017 14:52:37 -0800 Subject: [PATCH 133/288] Adding test with command line that used to trigger a crash. --- .../files.log | 10 ++++++++++ .../base/frameworks/file-analysis/byteranges.bro | 6 ++++++ 2 files changed, 16 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log create mode 100644 testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log new file mode 100644 index 0000000000..a8a12d0d2b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2017-01-31-22-51-55 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1258867934.558264 F2xow8TIkvHG4Zz41 198.189.255.75 192.168.1.105 CHhAvVGS1DHFjwGM9 HTTP 0 EXTRACT - - 0.046240 - F 54229 605292323 4244449 0 T - - - - extract-1258867934.558264-HTTP-F2xow8TIkvHG4Zz41 T 4000 +#close 2017-01-31-22-51-55 diff --git a/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro b/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro new file mode 100644 index 0000000000..7cf0ef239c --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro @@ -0,0 +1,6 @@ +# This used to crash the file reassemly code. +# +# @TEST-EXEC: bro -r $TRACES/http/byteranges.trace frameworks/files/extract-all-files FileExtract::default_limit=4000 +# +# @TEST-EXEC: btest-diff files.log + From 645ec39f4b98d3ba5505d53fb4288787a9d6da41 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 31 Jan 2017 23:33:58 -0500 Subject: [PATCH 134/288] New file types sigs from Keith Lehigh. --- scripts/base/frameworks/files/magic/font.sig | 8 +- .../base/frameworks/files/magic/general.sig | 100 +++++++++++++++++- scripts/base/frameworks/files/magic/image.sig | 6 ++ 3 files changed, 112 insertions(+), 2 deletions(-) diff --git a/scripts/base/frameworks/files/magic/font.sig b/scripts/base/frameworks/files/magic/font.sig index 8f2857f6e3..809a4fc1e0 100644 --- a/scripts/base/frameworks/files/magic/font.sig +++ b/scripts/base/frameworks/files/magic/font.sig @@ -1,8 +1,14 @@ +# Web Open Font Format 2 +signature file-woff2 { + file-mime "application/font-woff2", 70 + file-magic /^wOF2/ +} + # Web Open Font Format signature file-woff { - file-magic /^wOFF/ file-mime "application/font-woff", 70 + file-magic /^wOFF/ } # TrueType font diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index d4470fc780..d3bed97efa 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -292,6 +292,104 @@ signature file-skp { file-mime "application/skp", 100 } +# Microsoft DirectDraw Surface +signature file-msdds { + file-mime "application/x-ms-dds", 100 + file-magic /^DDS/ +} + +# bsdiff output +signature file-bsdiff { + file-mime "application/bsdiff", 100 + file-magic /^BSDIFF/ +} + +# AV Update binary diffs (mostly kaspersky) +# inferred from traffic analysis +signature file-binarydiff { + file-mime "application/bindiff", 100 + file-magic /^DIFF/ +} + +# Kaspersky Database +# inferred from traffic analysis +signature file-kaspdb { + file-mime "application/x-kaspavdb", 100 + file-magic /^KLZF/ +} + +# Kaspersky AV Database diff +# inferred from traffic analysis +signature file-kaspdbdif { + file-mime "application/x-kaspavupdate", 100 + file-magic /^KLD2/ +} + +# MSSQL Backups +signature file-mssqlbak { + file-mime "application/mssql-bak", 100 + file-magic /^MSSQLBAK/ +} + +# Microsoft Tape Format +# MSSQL transaction log +signature file-ms-tf { + file-mime "application/mtf", 100 + file-magic /^TAPE/ +} + +# Binary property list (Apple) +signature file-bplist { + file-mime "application/bplist", 100 + file-magic /^bplist0?/ +} + +# Microsoft Compiled HTML Help File +signature file-mshelp { + file-mime "application/mshelp", 100 + file-magic /^ITSF/ +} + +# Blizzard game file MPQ Format +signature file-mpqgame { + file-mime "application/x-game-mpq", 100 + file-magic /^MPQ\x1a/ +} + +# Blizzard CASC Format game file +signature file-blizgame { + file-mime "application/x-blizgame", 100 + file-magic /^BLTE/ +} + +# iOS Mapkit tiles +# inferred from traffic analysis +signature file-mapkit-tile { + file-mime "application/map-tile", 100 + file-magic /^VMP4/ +} + +# Google Chrome Extension file +signature file-chrome-extension { + file-mime "application/chrome-ext", 100 + file-magic /^Cr24/ +} + +# Google Chrome Extension Update Delta +# not 100% sure about this identification +# this may be google chrome updates, not extensions +signature file-chrome-extension-update { + file-mime "application/chrome-ext-upd", 70 + file-magic /^CrOD/ +} + +# Microsoft Message Queueing +# .net related +signature file-msqm { + file-mime "application/msqm", 100 + file-magic /^MSQM/ +} + signature file-elf-object { file-mime "application/x-object", 50 file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/ @@ -315,4 +413,4 @@ signature file-elf-coredump { signature file-vim-tmp { file-mime "application/x-vim-tmp", 100 file-magic /^b0VIM/ -} \ No newline at end of file +} diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig index c6c0d13a50..03563f7897 100644 --- a/scripts/base/frameworks/files/magic/image.sig +++ b/scripts/base/frameworks/files/magic/image.sig @@ -164,3 +164,9 @@ signature file-award-bios-logo { file-mime "image/x-award-bioslogo", 50 file-magic /^\x11[\x06\x09]/ } + +# WebP, lossy image format from Google +signature file-webp { + file-mime "image/webp", 70 + file-magic /^RIFF.{4}WEBP/ +} From 9370db8980e64b1b9e7b679ccd3ed676ea197abb Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 2 Feb 2017 11:58:38 -0600 Subject: [PATCH 135/288] Add tests for the to_json() function --- .../Baseline/scripts.base.utils.json/output | 39 ++++++ testing/btest/scripts/base/utils/json.test | 122 ++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.utils.json/output create mode 100644 testing/btest/scripts/base/utils/json.test diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output new file mode 100644 index 0000000000..a1f6875417 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.utils.json/output @@ -0,0 +1,39 @@ +T +123 +-999 +1.123457 +-1.123456e+308 +0 +1.0 +"" +"hello" +"" +65535 +1 +123 +0 +"1.2.3.4" +"ffff:1234::1" +"123.123.123.123" +"192.0.0.0/8" +"fe80::/64" +Red +{"s": "test", "c": 100} +{"s": "test"} +{"s": "test"} +{"m": {"s": "test"}} +[] +[2, 1] +["1.2.3.4"] +[[T, F]] +[{"s": "test"}] +[] +[2, 1] +["1.2.3.4"] +[{"s": "test"}] +[{"s": "test"}] +{} +{"2": "10.2.2.2", "1": "10.1.1.1"} +{"10.1.1.1": {"a": 1}, "10.2.2.2": {"b": 2}} +{"10.1.1.1": [1, 2], "10.2.2.2": [3, 5]} +{"1": {"s": "test"}} diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test new file mode 100644 index 0000000000..369ba0ebb7 --- /dev/null +++ b/testing/btest/scripts/base/utils/json.test @@ -0,0 +1,122 @@ +# Test the to_json() function on every basic data type. For container types, +# test with no elements, with one element, and with more than one element. +# Test that the "only_loggable" option works (output only record fields with +# the &log attribute). +# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: btest-diff output + +type color: enum { Red, White, Blue }; + +type myrec1: record { + c: count &optional; + s: string &log; +}; + +type myrec2: record { + m: myrec1 &log; +}; + +event bro_init() + { + # ##################################### + # Test the basic (non-container) types: + + local b: bool = T; + print to_json(b); + + local c: count = 123; + print to_json(c); + + local i: int = -999; + print to_json(i); + + local d1: double = 1.123456789; + local d2: double = -1.123456e308; + local d3: double = 9.876543e-308; + print to_json(d1); + print to_json(d2); + print to_json(d3); + + local t: time = double_to_time(1.0); + print to_json(t); + + local ti: interval = -12hr; + print to_json(ti); + + local s1: string = "hello"; + local s2: string = ""; + print to_json(s1); + print to_json(s2); + + local p1: port = 65535/tcp; + local p2: port = 1/udp; + local p3: port = 123/icmp; + local p4: port = 0/unknown; + print to_json(p1); + print to_json(p2); + print to_json(p3); + print to_json(p4); + + local a1: addr = 1.2.3.4; + local a2: addr = [ffff:1234::1]; + local a3: addr = [::ffff:123.123.123.123]; + print to_json(a1); + print to_json(a2); + print to_json(a3); + + local su1: subnet = 192.0.0.0/8; + local su2: subnet = [fe80::]/64; + print to_json(su1); + print to_json(su2); + + local e: color = Red; + print to_json(e); + + # ######################### + # Test the container types: + + # Records + local re1 = myrec1($c=100, $s="test"); + local re2 = myrec1($s="test"); + local re3 = myrec2($m=myrec1($c=15, $s="test")); + print to_json(re1); + print to_json(re1, T); + print to_json(re2); + print to_json(re3, T); + + # Vectors + local ve1: vector of count = vector(); + local ve2: vector of count = vector(2, 1); + local ve3: vector of addr = vector(1.2.3.4); + local ve4: vector of set[bool] = vector(set(T, F)); + local ve5: vector of myrec1 = vector(myrec1($s="test", $c=2)); + print to_json(ve1); + print to_json(ve2); + print to_json(ve3); + print to_json(ve4); + print to_json(ve5, T); + + # Sets + local st1: set[count] = set(); + local st2: set[count] = set(2, 1); + local st3: set[addr] = set(1.2.3.4); + local st4: set[myrec1] = set(myrec1($s="test")); + local st5: set[myrec1] = set(myrec1($s="test", $c=2)); + print to_json(st1); + print to_json(st2); + print to_json(st3); + print to_json(st4); + print to_json(st5, T); + + # Tables + local ta1: table[count] of addr = table(); + local ta2: table[count] of addr = {[1] = 10.1.1.1, [2] = 10.2.2.2}; + local ta3: table[addr] of table[string] of count = {[10.1.1.1] = table(["a"] = 1), [10.2.2.2] = table(["b"] = 2)}; + local ta4: table[addr] of vector of count = {[10.1.1.1] = vector(1, 2), [10.2.2.2] = vector(3, 5)}; + local ta5: table[count] of myrec1 = {[1] = myrec1($s="test", $c=2)}; + print to_json(ta1); + print to_json(ta2); + print to_json(ta3); + print to_json(ta4); + print to_json(ta5, T); + } From 65d6e5a4f724842b7f5357435ec14b5c9de9d654 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 2 Feb 2017 12:09:40 -0600 Subject: [PATCH 136/288] Fix the to_json() function for bool, enum, and interval types --- scripts/base/utils/json.bro | 12 ++++++++---- .../btest/Baseline/scripts.base.utils.json/output | 8 ++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro index b6d0093b58..5b66f3ad02 100644 --- a/scripts/base/utils/json.bro +++ b/scripts/base/utils/json.bro @@ -25,6 +25,10 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p case "port": return cat(port_to_count(to_port(cat(v)))); + case "enum": + fallthrough; + case "interval": + fallthrough; case "addr": fallthrough; case "subnet": @@ -37,12 +41,12 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p case "time": fallthrough; case "double": - fallthrough; - case "bool": - fallthrough; - case "enum": return cat(v); + case "bool": + local bval: bool = v; + return bval ? "true" : "false"; + default: break; } diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output index a1f6875417..f7a16cb2bb 100644 --- a/testing/btest/Baseline/scripts.base.utils.json/output +++ b/testing/btest/Baseline/scripts.base.utils.json/output @@ -1,11 +1,11 @@ -T +true 123 -999 1.123457 -1.123456e+308 0 1.0 -"" +"-12.0 hrs" "hello" "" 65535 @@ -17,7 +17,7 @@ T "123.123.123.123" "192.0.0.0/8" "fe80::/64" -Red +"Red" {"s": "test", "c": 100} {"s": "test"} {"s": "test"} @@ -25,7 +25,7 @@ Red [] [2, 1] ["1.2.3.4"] -[[T, F]] +[[true, false]] [{"s": "test"}] [] [2, 1] From 6812a7febeb019277dc889792f54fe6a821f7f7d Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 2 Feb 2017 13:03:05 -0600 Subject: [PATCH 137/288] Fix to_json() to not lose precision for values of type double Also changed a few values in the tests for better numerical diversity. --- scripts/base/utils/json.bro | 5 +++-- testing/btest/Baseline/scripts.base.utils.json/output | 8 ++++---- testing/btest/scripts/base/utils/json.test | 8 ++++---- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro index 5b66f3ad02..05dcff1e27 100644 --- a/scripts/base/utils/json.bro +++ b/scripts/base/utils/json.bro @@ -39,10 +39,11 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p case "count": fallthrough; case "time": - fallthrough; - case "double": return cat(v); + case "double": + return fmt("%.16g", v); + case "bool": local bval: bool = v; return bval ? "true" : "false"; diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output index f7a16cb2bb..43513e43f9 100644 --- a/testing/btest/Baseline/scripts.base.utils.json/output +++ b/testing/btest/Baseline/scripts.base.utils.json/output @@ -1,10 +1,10 @@ true 123 -999 -1.123457 --1.123456e+308 -0 -1.0 +3.14 +-1.23456789e+308 +9e-308 +1480788576.868945 "-12.0 hrs" "hello" "" diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test index 369ba0ebb7..264151136a 100644 --- a/testing/btest/scripts/base/utils/json.test +++ b/testing/btest/scripts/base/utils/json.test @@ -30,14 +30,14 @@ event bro_init() local i: int = -999; print to_json(i); - local d1: double = 1.123456789; - local d2: double = -1.123456e308; - local d3: double = 9.876543e-308; + local d1: double = 3.14; + local d2: double = -1.23456789e308; + local d3: double = 9e-308; print to_json(d1); print to_json(d2); print to_json(d3); - local t: time = double_to_time(1.0); + local t: time = double_to_time(1480788576.868945); print to_json(t); local ti: interval = -12hr; From 3882ba6fbfdbdc2d25ab6cee6401de2e0684acce Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 3 Feb 2017 11:23:49 -0800 Subject: [PATCH 138/288] Add support for the signed_certificate_timestamp TLS extension. --- src/analyzer/protocol/ssl/events.bif | 23 +++++++++++++++++- .../protocol/ssl/tls-handshake-analyzer.pac | 22 ++++++++++++++++- .../protocol/ssl/tls-handshake-protocol.pac | 20 +++++++++++++++ .../.stdout | 3 +++ .../tls/signed_certificate_timestamp.pcap | Bin 0 -> 36501 bytes .../ssl/signed_certificate_timestamp.test | 7 ++++++ 6 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 2855dd7fe9..3fb565b8aa 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -192,7 +192,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## the initial handshake. It contains the list of client supported application ## protocols by the client or the server, respectively. ## -## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts. +## At the moment it is mostly used to negotiate the use of SPDY / HTTP2. ## ## c: The connection. ## @@ -225,6 +225,27 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_key_share event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); +## Generated for the signed_certificate_timestamp TLS extension as defined in +## :rfc:`6962`. The extension is used to transmit signed proofs that are +## used for Certificate Transparency. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## version: the version of the protocol to which the SCT conforms. Always +## should be 0 (representing version 1) +## +## logid: 32 bit key id +## +## timestamp: the current NTP Time +## +## signature_and_hashalgorithm: signature and hash algorithm used for the +## digitally_signed struct +## +## signature: signature part of the digitally_signed struct +event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); + ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that ## as it can. This event signals the time when an SSL/TLS has finished the diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index a4f4f94c6f..7f4eb2ba3c 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -231,6 +231,24 @@ refine connection Handshake_Conn += { return true; %} + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool + %{ + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); + ha->Assign(0, new Val(digitally_signed_algorithms->HashAlgorithm(), TYPE_COUNT)); + ha->Assign(1, new Val(digitally_signed_algorithms->SignatureAlgorithm(), TYPE_COUNT)); + + BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, + version, + new StringVal(logid.length(), reinterpret_cast(logid.begin())), + ((double)timestamp)/1000, + ha, + new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) + ); + + return true; + %} + function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ BifEvent::generate_ssl_dh_server_params(bro_analyzer(), @@ -251,7 +269,6 @@ refine connection Handshake_Conn += { return true; %} - }; refine typeattr ClientHello += &let { @@ -333,3 +350,6 @@ refine typeattr Handshake += &let { proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length); }; +refine typeattr SignedCertificateTimestamp += &let { + proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature); +}; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index da01a27f1d..65da41e0db 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -485,11 +485,31 @@ type SSLExtension(rec: HandshakeRecord) = record { # EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0); EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0); EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0); + EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0); EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; } &length=data_len+4 &exportsourcedata; +type SignedCertificateTimestampList(rec: HandshakeRecord) = record { + length: uint16; + SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); +} &length=length+2; + +type SignedCertificateTimestamp(rec: HandshakeRecord) = record { + # before - framing + length: uint16; + # from here: SignedCertificateTimestamp + version: uint8; + logid: bytestring &length=32; + timestamp: uint64; + extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them + extensions: bytestring &length=extensions_length; + digitally_signed_algorithms: SignatureAndHashAlgorithm; + digitally_signed_signature_length: uint16; + digitally_signed_signature: bytestring &length=digitally_signed_signature_length; +} &length=length+2; + type ServerNameHostName() = record { length: uint16; host_name: bytestring &length=length; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout new file mode 100644 index 0000000000..abed68df42 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -0,0 +1,3 @@ +0, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] +0, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] +0, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap new file mode 100644 index 0000000000000000000000000000000000000000..50efed9cea5db93fddffb4cdb338f03479625b98 GIT binary patch literal 36501 zcmd?QWmH_t*6-bodvGVXTjTET5L`lV3GN!)B{;!@yL)hgI|L67fe@S!+-{S-v(L`i z=Q+>&&yFhyj5C z*+t*Q+{MrZ8Z8+u9>pBR=)&m21Y`g*0n7jn00LO90v{g$cmyASUmJh|Kmq{Z9W9-m zO&ytB%>g*zYvka948R1SLqWnpK>?v5;h>>`a4;}H2p|9&0R8hh06O?4)ThTGELh>*Y0o`TExT21%{cvT8Q7Kfy zmy*(Syy9oD07mdbK=31o2&JXI=#Y?*5RgCs0{9OOtU&~>7B2V?3S57Ph=?amEWi%f z)c*sYC%3|jg#OD>|1kvEw<4Z~0MP#5h5*l{rogEmDqz3n>mP0fcG5bIjwrP!MMALR zCN$t@`FBO=nXSkt#oO`!NzrZKcSUSSNMJYERofvUjU?ZG^AE_n2gta;v4kZ=-58#Q zI^uTNd5&F8o<1Pd3Fu-50F$2j?GFz`1VBLoz;6EJbKv>_(1DgfbASsV{{wt%J+2mJ zXe&nUsJT4?KSv7GHNjf*mfIN0Ao4OQxB^n|Qjf5~oPY#Kg2W+62;~A^CfS_!W3_;?gMqulkQ~d_5ZRaeQ`JEa5WyBX$${6$?c0A8M zW#OIxTmcprDObcM0Uf+iM;~a26wNcdBSQLF8AeT%TK1+o$opA#}3W!0cF;P(xpN+ybBCi!oV1qsr zQ_opE8tZf5h+C1FLIm4Al51~r88>Lz5Va&O+sHD@d*<`1+HoNe(CZcMS$sbNwkxe? z5)t|@yR_kR)vD8}1GdrvlS#>t<;UokrR~6C1ir@c2ap!2dOP!M%vOfCxaH0iaF+pv6G}(88bqD4J|Y z2p|Lms+Yl7ik7U#K?bQrFOu372!sp+PZuH`a)}HCB0>W|{;@2GAb1!^bto7N2q{q( z0ubKQ2^4~|B?k8#{{AOaSNidos*@rrK_o`syqui2=$LD{R^F-03g}l8wCgrfD8aW1Awn1 zKm>r{){>+}!<`N(F(!JB7>Ej>h%f9zMqdo~GAG&q3`1jB*tXT}H9OTa_2o zyHi3X*#;i?fdi>Ww~`|zuEsdWjhy`G6m|1$Q`J*8e*N$8!jiEpx+ zQXsI(0JrCQNYrHe?ZJ0)HpItp&Wr7d3-~N5B~WD}5o-=aQ-y&Cx@;TwBpaMU;0S;F z>!c^51M>oabKn;F^t0iK$f0mS*nXI?Rj+vybr2U~_s}(**2L<0X+D1i5rG?+2n7lo z3bV;@e1w96gn-TlAwAuW@pKLW0{rnXB@{LY z69$eR1_%ue3km$|2m+-1bTbK*3`h#Z2ZIE@0SZ{l0uFDGP#}5`?XMdlfY?M&k=kr+w=BnOhomdch05qo+P{GhR; z^`B1}8$KN{|KY=67yiTL{^h`b`0pR?D<;AOeh}mz{HrcNAe0Bl4W#tz90c(<3(o(G zg(u<@{deL={UrX_@5F~){1ro}p9lm_&VI#^UxV%+b#?|({8dF@2=1SaU}x-P|63hF z)BSGCaGkSS&4Jt2L(xp|fxT zuKnIK^+Z{{<%Wmn7TPK%xWQ6!TF{h)B70tbe5b@=0FtaU`rI;Y=PXe78^E%+%L3t` z3ZK8|P(qc2n0-SmK&KAKT^icdeDav7P9#AAwdd2r0`Y9>ScTEeEU!2hRGQ z^`(iFcTXqZdS`sGRJX!%G^~RZE)_%B7=Xv#M>C=q1|m<5JIU2$K+xPl-lev*qfh#& zw3&Ph8Z=tS6O<9wW_l*uy+s#JYs?7S zr9AH_*uS?L(i512|9=DX(^&ZlX0pG5SM73 zRvr*53(GGW|6dqD{x_n({Rn}#k*%G-&&?6da1WfEmgzDXKs17uz~(K^?m~j_B^q7o z&9QNV%zGAcy#NMc6h(44JFai~RuH*L{$q8Mg#HU=_El*LlX{U# zz`M&1^VO_L&mvVnKJSY2WOciDQV8C`k!0_p>w?ykH7D(H4U%Jy7-17Kb6SR{#=O4u z(xuUm#wpmvD^V7F_vBciT9z!BEZ63UdQ^-PQx?)rcy6sidZdL}_TZxIE+}737=m$Q zmD0A(m-syR#WG|91+MJ~wTi@!{VJtcKJtca!C|A%;F!%36A`u3%Vi0WU+Gq@2x3*c zcg_1_95aob zwfOO^g_H)+(gusq8@P^9CHk!w*Y%UA>h>%0J{vq+xC zby2|r5IBdeYz%NiiP3z+zF&l%c_~G0Fn7z%XYH7qcqNLzc4!9^CGimkQ2J$ed9h)` z$^GDhe0gfc`YnD;!Je9Ta#PQP`rBw3{X3J^3BmT{eao@Vb?H;10Mu6 z5BrG|p_66tkf6E9lCTbV^Y0s^}Kzzc|}YWQ}-!*olBR7 zk7XN0lToL+!lPWD#0O388r{ZcjySRPsK= zuCpc9{*#7Vu>0{IWeLu>vSSp0w{&aCnEm|~j012pfMn*uuDu2T?GDcToxz#E-k$-6 z+U!VUU*_y>*}Q%3UC`=pN$yjCvHM$mQI+_WFe6|f{&I2>5m6Q@a9;2;(}Ka^#X<%mdAbi01Mi>rfu{s7?ChMMA_+K#aIk?`K;v`hQKt3xN2ot$t1jAf6@!5a0;`c<{#Us>Odo(5NX#rda8l5I1*DrRU0fLv9an zXj5J5y`e*ok@H2>Xn$|-*ktHCB=-!bNMNfP%JAqB?cKnS5J7|+LA~pQ9d^$}OslUM zb-~#Io~~66vGWJ_$Tu0*H*3`aKQMi+J9-P5m3&iu8}7`-9NUoqbK(0|4AX}(DTJ71 zKHFQicMHW|;we6hSs68}-|uy|SvN+Wp+u*BNw>C4y>gcZNz7JkAoEKY+_5IBP`8=) z3^O%a?MV&{kYv{oo32X3wd5<7d=Hf53fkWt^_LbiS9GLH*K3z2po!2U^QtdPSv*=- z3G9KFRJ0LHy-C9P?9HYr!XK@2h}fuC#bAuTra36o_U&bFdX+@#W}Xg3eM^akz=U1t zql{L^N%7;4=8A7zw=K;-5P7e6#YCTnF9eNXoG!L*gc~$R(P)%o5@jHKb=aRkSrI5n z&XI2CzpQFNCX??%^FPqwyO_@1)NQJTB72eKm+(YHlK-9qzx|m5kNi$V^uN|oY`}|+ zf9AjqPwOa_yKm)9PvamN?VTa^BF(XAEnh&i&aWxIR+sF|&Z9B(wV&+CEoC4rl^UnX zfRS+R48WzXpRKGPQQoooAs^xZ`c}Ax9kRagD7R6Z9;Z3n6T z5s>|Vfc#H?3&$1hDW2^0RF^lsRBFeN?dudHYWRN($Nw=}|9d!o_7pyUPOzXskl=6( zLVLPE0)+qqhvz?ot@zU=VkiL+ABZQLE1M&P?XO5^&E(<)&J3S|-p^^!ui^cR0%9Uh zWBX@l<@gm!!J(BFL=B?+bq)fC;Qf6@@tfkm<-I>=3nra`r?1k2C&!v|Xf=^{buOpA z34V8lvORra-};>YQ32Wc^{9UU<#bOr-AnoNmdG5NUNv}^fh}s3mq8v}!WeGn_2q<< zd}TQ3bI0tsKJ?!_rpq)Xkg8~ICYQFAlfqipf;BDQ#4o%UcJl8eJlkouHA920d!ESX z8SK7-IFmer>+#;KL*=#uFX=#>VFMtJfdGhoFn7L!*MGAE zAlAW$%P{bNOpHO`Rt|s|178{fr*Sp8;0gDCO3!egv4U8*KrAdQ;G~_6om&Tda}c=r zfn>nTKG5_ikP!IL04Pk)4Z+>)UOI+)nvt)C(2{tpY9v*JJ3l>7kyu#%1T*CmcW z4d(;^5y6IG!37cq;pgOi&I7!I0OkJ!%KsE_{QubM;otrK*DN`59~SieF`qhR@N%L^ zMCg@5&Uv{l3y%5~x~}3e6_U!Q*kOPTp?~sK>OtWcWIv&#n;E;;V>MPAs`aR=R(6w) zPfLERN zVw43O%GkQ?Fx#tfeN9J~e%UES(+`P>v>H<cH0_7uK9~_lg%gybXK_yVh+-`}x zJO4<<$mF{TD&;Q8d9>0*Ov2}-@0_xoI&hAn1K7v9>e3@^Hn42UvIyWxx`U@PfNG}e zSbL`>m$1-;un%7=RP}_`vu#p6o~M7}%o;YLj^)_X=L}X|!is@^BadI}%aI0?=TDS- z;T}-zeJolThMOMJS2at(y!?)zyJKL6z}|RX3Y8>^Qbr-eB`zFvJycl|)xx+IwF0C0 zTnF3W;Q_oe^$hFin`vk=`vZu%)MB{*XpoL!_dD(K#MQuI^aVfS8J51VQ!T1@eWUmD zQC<~~_irMYg)USN@d`3(ynTjMJ6!L-VW;$W3bZ>1iA8sr>uK8GwD@@M+@=1NrxjGl5fdM`RB_)MuaGVg1oh;Hdogv_kd2 zE7F)eDb^(7kHqU-3MgyMe_|!#` z;H?%>5hw%`Y#W8zWEzDOyDp9>;#-o4^Rt$kA$6mqRBt+NQl*R)NM1DaF(J-S`i@He zBjaX|H$)l4SF!oBt=C5Z&=QznDIoAkkOo|}pC1*M(j11{y1eLhmr9@mBW#%l#q>mz z!z<>d9qPx?cV$m4bUp|T*anZ?r}FRb1DtU?zz*@+($g#@=bs)^aCn&>z!p7 zx!Cl`Y3%~HHL~oP8V+IZ;%>I&b*+oqwYKDBYN6Ty0^1vY{pb0YLPnGNCQt*+=i=0DpTFolhbDipEnb1hdK}oO zq+o#RC|Ge?H9;s+S%=5Nv87r!c|~n~6u8*Ulq9r}6-*LLVJdjuh%}P0vVDt8@2oZ< zbdatrp6O;gZz`d&tUfwBoZkK#1F?N~?UhX!nzPHf_v(2Raem-;hH*NiM+se}3hMXD zPn|AI3kOgGclcBJ2ec)(Vt+zg>vw45F<)v5+WCQ@ZQS@rr-u%2>T`5N1D<^DGx&!K zbKuJifXQ#)n&I|yw|tJO0{OD{FQ2cQ@y-s6W18~4Shi~|FWx$3Z^5+E%3UalH6r*n zy=^m)@m`SHgd`iq5Xpv6JrT}{?!@7sNp`sjEke?`e?vLbb~8`0rOcK3=8eP~6HJkh zO*)+0rrc8m`pkVtgY*wD^$5=a*&@h~`^2Z#M3@B>CwN!+B8}tfut3 z9~jXlp}AQQ_~=rx&M&)h&xQQj*_Gp7l|+qvl8_%wrs-Sb=T&bSGhj{jE`xf2!!yM` z(35c7x1XQ;+rS!L9=xOCA~GM3N3i)KAFzp~U-m_wS$%m2D(4s?J_S+o)uH#BthAh` zHkJan@#g=$0UY;pDm3_e8{>;yY6_!+x0KJ20{&`aXK))Mg9jF5`k&@4hIvwM$r}|; z;a_YNJvi%WvZ-usiL$yRB>%V$=7??SNOIG-7f`7!5EH?(B(X#;Nu|G=cV~OPBZo=e zbUmd3F*r^qs{A=tXIsTzlL(K0Am4%4Q#jfY=3r!zD=R%6?jAXzqu5F<&gr{wG#-S? zE!+YJJ%FW}cv`VU`Hign65j`L(=i-c;T=>ehN5}|ueBP)@ysW7EgqZMVZmrp9 zHRG10Bx#5os>GyVP7;Ly;e&Gb!O(~L zUZx3IURNBs$d8$9UnuuSS9DinAUY=tR_&Vis~%huQ=jF}Y3V1@5%Eu#= z_s{4T^}RC^4N4_OJdT{o9df>{yobfm5t5P9pDU|P7P5LptfjIRoqLqY!z7BrbZz1t z$bMnA3d{1{+b=C%2$k#nWK$vGB|B6}T;ywV4}r|iW0KdJR*7mjb=|i#W~V0go^^sU zzO0s4gu{>g44yt1!Lwe^#vss5LGNP@hdAEnL=cQSR%xB)aw1)0_04FjvUrAfE5_g} zhoN~v7Wdw)Af;exHr(k6zdz0G6NuaF3L}Lm!t1O9$v3t2?xxU6Og(>0(m75?*t2d4 z$;3K-z}`T8mO}t95W;T|>LO4Xdqz;ex{4oI3S5Kcfv+bnC4oh1b~w{}U)|MST5+xG z6FyugBeZ~XKQ4{Qt)m>EzK$r+-&5Tp@;X$lo^@7)0`8!egjLv)X4!i=4lS^=7Ag%* zuk~_dfq82uY2FKAU=h*~XHr-eFMsfenUrDA1I|$5L!Ep*7iaFaOSr(1rYJ-~X@o>2 z&SK2??en$l)_i%+3sgg-Pqg`Sy$c(GBy}myNp`@fhlVH{M@;S|(EL{1pz$o=#<$ZT zRvdm`$deUd$3g8_j)D{q3$mXL2o%Q%cXkv9k5A&}KgXwKnc-G+!L4B-0W4x4MNrNj z+hXbs>jS2S@k9gMOV~4>w1+u@AyI}*H2t2Ly-55?>cRV9RS&@zky~r|$SK&u@6)@KT&@eY?_D=ec9XJ$FVAHML%VHk{UIl$GqoS&*z$4>+r$Pbp z#FW$A03AsPhI)Mx+bF}(zcqsXewh*2yKbAH6T$%uy3Ej#YV?`IE~fM&`^uQ9>1kW9 zW~n~`ADy=Lk`IniL%zc3MrpT)omCrv#yB&CkPrF8f=zJpGFl*T?PEQ+KysaP_h1Lq8r z_QTecK()nJKhqCg+7zp=KDvQXk1iv_`b1Ze&;)RNXZ`^M2o!BivDz* z#Jo812Nc_EpBWuyxHvwSa6A!T`o9xD{wMJVekVTh#xLRzGX75d3Q%FsgeQ!N0YPzV zdJ7FbADi1Cl0WODN{d{|!fkQ}5fmT)6xeBq#N3n^%Mffdjhj>tai zci42&i@r4v0jG@CkN=*+{lHXTEo)~E)R@ZV^5dhE)>NU3vnm}Y;=yS{TAdrJ&73D* zi68m5rOp^CH#g&kp@>Ky$@w-{kn&I$uHT_QY^l09Zv^?^I z)mPr>jR-`L6FwiqMY}pSh3Gk26enU@aI+3KGE*}py&NXq9f>^p8|eCxDv|c8uM=O) z5ht-wM)B$hC4@0g;7stp%D*xTTsV^xS(c4ES|AN~EY)YLV-Nl~=eJcMIv992#}a?5 z-ROJFi+SfPS?~GdS$`0~o8MLCvLF*zBv>6f7vgQ`zK=yej>hgmj78U_JCeDq1V%^f z2ps%;DZtcEeJj)>O!GyxMghHOCdAIiCGm+j<}&@GR0|vHQZFXseaXZXBQj8II$9wI zcx??LAg-1eoJt`C0kl6zVp0vm%7YOh1Ga19%>5@g%ZX!ZGFt{>^czy;LvSlJPq*CZ z@E$Z)iPn#pKdN{Pvg#{3uaoX5bP!*@Vn{srL@nZ!b>9x%={+^_wWSHUGd&;RHyw)U;y@~8(-8Cu~ff^bJY*^65&W2zjGDNMi zyK;{}0c~^y9-g;!L^9Uyj>5*|(fX8%a&5bvxwwU9S_bEONF-Pen(xvV%M+#z_(CKl=09R+3yvhc235WHxmL?7aJ3QwnA7;0Nn&j#5)?b zw~ecQX%Wb8i|J+G^xbKvaj+M6g-WwEeP@{}+%vzzFNJqH?l4ArE~YA7s`9};M}SZ! z0fg)8@Hr-z!)PMMSJYYF_{IGSA%oYo!DixNl=ZMbjQ$H%&{Bl-kf8}?gW1l}s5zr_ zY6<@j4usMjSTtpR@#MQ(DpvMThK8???MB`zWlBU{%lR3_2gm&*Kf)3+$v6-co8Ot6 zz`i-YA|+5gMaA7_e__{CbPp?^yZA*n{Hy>A>44eY?JnK{`g!|em#2!D3am7P>l`fV zHv89QE=om%WLxqp)ifd+etA~-VH(wq*LHA~TJ<@${U5S}ZX~o$%7lpq@R+w=y4k6% zhYW`?&|hw`DA|-|y^}DDS8AO6wobuYqF{W-OxP68946=YBA4_%zCWO}H3g=y#9K5I zc|4&@;Eja%8f6{Z7>(gY(7xRLiNFq&Dz8|P<+6A*A$~-+G{I;9MbxXD2h5e^&hcuP zVnx{yXs#eiFa`cj8m}{~~@- z?C->P!@WNgdBG^E2O`qVerd6VgtkNQcs%WbkobWuX+&*zT4sBRR3UI?)AUV+W0J;W zcoKw=J&Tgy0bPa@nQUCSYWYVEMIqlXvM#hPLO?(u1H0W_4rYvZm0)q;x@{XBiQlsb zqIqiNjZq8jt3`BrQ$RNXe*q4@-x_^(llWB(z7uLQ>ut~qP4=4^pEsR8_ET^W3=_*` z>q_VupQ^&}`f@W6v1R6b`ajBF5PZ81`++}qv9T`49*O~ivwRWMqUhfohVcn+$wuxQ z!w@P5M()5?HSch{q)0Td!}g*?3<%3h^{KgER5KyU@}(g}g@SNLP8{Q??Q#=l6JBx$75R+0ObT+2gQDIyqD+@_ z_Ej|0lHqkA=FPd)!}4dGbN8IOjsfy6+zAaY`NU51JAzvuCLsFHe$=o}qV--fa7>4H zoCgVCb?du}vvYNzJ!B3^LaKi}24=*+II@?`JNZ8DqyJKx2J&-Iman=Y>oB4XaO2q( zPTV5`C$768&EW)+>?*8h-Q^1=>owDjkUMx|GqNV`bg9$viHdSq0H8d&jeJ%(BO5RqkyPw~k}ABX6^d=AaDSytlYM_!wEJIa+C6=5&u@ND_k-7h(g(2)t^=)K^7l(6~>7aEKy%|Jjp2X=) zzz&9pk5$B2iC0?R>}NOD3xzAxEhJmJ={zi8M1kJ3786&!YTlwAj7@UcUjkiBBAP8QogJU)%`6%qUYAcF0)zn&{lV6>#A7TWXct)C-8?> zBoM7QqmpmCs**g=E+=HSx!}RZV{Fd`Fp;23VoX%C*g7kfXN&@LZq7Z82tqyY)P(qo zN3O6LL42wg7-l;iJL_WMEY~zwz+U~)vp!QO8$cXQM+;9wo{I1U$oS2j0a)r8c zqwPWICsNHRsG~HE0z7s0U|hcnYz~xcx7^0u_3TlhU|cNJ3nl4mUX>pwZ(UuY66qCW z?X~GE8I zMW(x({VL%m*&%{ewgC&sleN%Kc-N#&l!psB9!TXIK&+8EvuP->BO!fT{q)sEno zerST_Ks=la3ifISmowDone;~?g4*aBwgvo|F$?eMK+Afp`}xW8%5;w6A94$Eu?Ws_ zJib(5GmDi{m$pmI^etjd;{jmem2iosRj9oc9_)u7N1S;As+;qWbi(;!-1iTngM$Pa8gY##oK+z@m$NK^v;4`;ZV2&;*0NER zZHlJz&Jj28mhXz-MrSK>UkB(l+833_4Qh1{-R}jD%-Xv}8$_jkqkKh8rKXsWNYK}# z!y|KEF5o6#Q{=owX@7ZZlZvL~SCf*S6WW{Xd6Qb$({oG9 zmJtxA zx5M|@LHrUvGR1Fz5K{3?UYyw#2fZqk+)ipTv{h* zQW1sSnqiClUee*Br&(6BqOmxPmbcGvsCG!R3ufglxB0t4HHA5D6WR;}aR_Otd|Fwv zT)i)#356@4YuC$QB0rA{Q>PhgeDw|l@9*eew>`5D zbz(b91mmOfodaXsf2$hwAck$i?fKF>9BZ7WChj}>JA#!T=Q6;TgXBuxDT?-r?5AY_ z<;7f*&gS0cYNaR%J=FGR-Dc?CrJQcA;i%%EDSsHDNJ!xm->Z#dkWIG`>i)TG^kc0-S8dA@2*cUuGd z%r9xpLd;cP^%Q}i78>XK<_qG@x3Bzf?$w&I!-x)wKjy@#5AjoWR&a?hSb=$Z$~ zEro=y(P>oop@au8KS#RyJQ}rsUGhv%SegoSzNFdX;n>5GW*SZnI~}g5YrmUZKN+ghK0dbvd97w;w`up3D_$klK% z)o$9Jb(-=010FT3A3zAi6;c-lZ{=lU zm(YS+%`GNAxwQI542Yb5Vz(=wLDxi~p5N{L+LnduKK5XiM%>VlrtENgLLNw}x@Xx$ zRigg3e9>P~&_V3@03yCobp4)4`ov0b=&r6>F3qE2-CU3&-A{FXdev!8O~T_5S0c6& zwyS|h5|gP$NY{ESDnuKZ2R-u!ekHGJi6ccN$EH&MZON2i zfoSU0&8o_JFDr3?=ax!lFzkn@*I}EY?-}$?C^J)-XH#MCL~9vD09koQQ+kGe-xJ=& zzVW*TZpIs3lD-Fg7A=Mxf3YgESFZ8}XO)Jb&fEOEJE5?lM?fsE>MqLVF-}9LO9s&C zn{WK!7oM)8pWuyP zv#+dr&4yKx$m9$q(^8EZ*5H1;MJgoVvDhru^bxR&ou}k-G>OnF;pyEu8n+Uhm3$Vk z4JBaLvD6-g@S1R=4<6{4y}%6`s$r_wz<3m~alAm3x*fvV!x~h+4K+cWp)qkXAdd9j z-<-has92!e?|b{~NXVu>umtk)TkA7K{`*5uu^%4&7lpxT=0!p>7h&}j?`~tyJZf44 z23i~A`yw0VHYta$Fp<`Okf7$Tlr$JKC8={1y?@_XSRouJJm)ut^Qz$W)weO2QDfMV z_#A+A&CL#q$eA4L6iw|zbwlTi^~By<7j;-U1;v0oxgGJ;SGivXFE~dHY;%U%8C>Ki zCa)piZf@fG7qg5icXc8r>6z#}^sRoX9n>Ja(XfsMC*kqz}mdA6#*CdDj{+&lI$F!ed-}MCtQ($VKW?~s;5MS>R}@&J54(X zfwQg;NXoV=z6ZRmLT=*Ar8|w+9b`lJDuqquBJ#~&`go}P+{yfXvZ7V1w10GIH2cwV zs&YbaT5|kE0(rCPcrf9Vm?=u4xnQG`pi7R|LP`;grD#je2h}bbCjE;aq|e{dTwnLc z-UK)s#5^u7N5*YxD~a394BN85K8janYwx6C`XFMz28Aj?F%v5uH$I7`fo>*+=F<2O zL>f}p9^Q@mxTQC|>dcA`y|C6ZNSQgZ=<0aXp}h4lLW}A<&$J!0V2nY8mjET;DVIgr z{&slSaSj9@%>pMZ(Hdj{OrAv4-%mZe968-n$bZ;$S;NY~I zuFGxY7BvBxZS?T`Dg$>3?=s&dR}{GOeo?b`?IjU-cE`p@cu817&YZbVIQS#Z^pggl z!A`4fbPv9Yq1`D7=3Mb*Vg;2J1MlJI)?0b1a_1DDQmK&e6LCbAk0tV9**b#X8 z;XBZ2TjRpKaC$r#((DLl>s9EA_(&>5*}7Ckd*sn{cfLns79A5aCm-UswR?hrv+50F z@$U1fQfq8xd${RBmb^Y`%4W=d+uQeXs^qS4bCv8)5@ch3reuorOpvl8uU}4uyyXZb z-l^&fNqsGb$GE%`?LJEQA%0!DaK=7|^@;fM|DE{BKZ)P-JMlRUe-WRN=Xc^S)o>+B zS9B}7C9?HHZ#=h#bQP^ksyf;t1)Xu zg}J$AVZd=@mm8);5_Efl$~Z zrz9MY5SO%t8{)|Q-4~F-P5C^@jUZQ{fwIRYnzQb;coC%gT%cZ27g2thL@WLa8@-Kq z>1?#C~~5=}UELO+fC@KG1*YSLEO=uzz|N)j+;CMwkT1wfB; zUw;vGLzfja!(@w&O@p2&;LJ9o>L(tI6dje8J+K~3t{rZ}8r17SZdm~_4uASEkNTK~ zg(wurmn0V)SO8DnO1-q;9?rPST_0|PC8p$#eyq50_&y6>4@xmf5#3edTN|CMkF@); zrPQW4rNa#du(}_=r4h1eBxBYwfA$5b?H56DlNfF&#d&MJVLKU_h1$WLkCKcWo)+ET zqAz4C8>n=!Tc~8!i>wW~gU(s?V)g_ideoIxd;5=eawBqDa9gEo>x1+q)(3)HWw(s$LY>xzDk@0sM$qe|L&y%xV?n2%b~=j*IztAn65 z9vT_ZmC@yQ(N~qk>k0xYb$q-yt;c$A=i6^=xfolaG{pa7utCdHV8cIK23{?UR=L$D z`<31jy*)zEz+o9&pySFiF&mv#I~vjMks*nflDcJ)OtN@;W#PpB#hO?VSCNV501y4z z#3RqWV_fw3Su%Wu?WPLZc$Vh)XPzNq*iAOE14i0Uoyzo)4&?0*4U5rsHYkcKvS*>g_X~^%2no7;!=k!3V>FJxgqHwZ0@`E_Jq|i!8@tR@ih2EK2 zjcF)3UHh|F7ow{cMpG_u&ksg@=qwVtQf>X4X@w5f)8RC}EO4-z>UL6X8TRk%KHk87 zCCXWC%li^aIX^2+BSwi|mTBTw&5=qc!4CUz^S{LAE`E&h#aQ6Fs^%)jLaAOCGthadQp__%lbrW5acUan{GtoJ@i zb>{=8-C_6#AQaX2#}@ze_9Fh0UYt>j?aNEFl{M?fQ0zKbM)PK_YkoJk-3^2e)R(hC z>LioX#)>R&W>9$)F`^b~xgyR3>A$;`P zl(JfV#nF@5iC>|%oX!eMudi&AZstYx zE5;B(9x~9WG%<(U1KkfWH?n8EJsJ0%X!EZ7wUh4buebDMb- z;i>B0X0XLVHSrRBh^*W8;^6=drGen*H#-hks`Hk}9%ZR)2t8p~g&B<|-EK1|Itr7$ z1y1Wn7{Z*RZy<<}&rB$*iXY08#$M^=wCWR9&I^n+sd;uPA-_jY0c=nr&v#jln5cWq!S2im-V`K zzx|lx4%@(Nk{+6kL;rE&gEB>>D-LdiiVRn+sKf zGiUm~yk=O0D|D1lRmSgC1r>hG5BTaom^*8wW>w(EW1C(WR2L^Q8Fjgr+onBQ?)zP% zHU~seh`kqL;^|y0_)aOnWOt-^d?ZqfyLjVxg&p`4*Ze6cj-G?D#bMH*HMRZVY8 zBchWp_meddit_2`hy4l`@mB(av@xoc7nOc0=nS*kW{_NYIKC^F4tg0fZJudjf`|To z-A*P}yktYB@SYVbtC1cm?9?^309|irm*q(8lP{FB!YTSAAF)NVuv_K(bD-2?VfQ^i zw0)^{hbI{Bxr0&tu5NaM2i)f>u0*xw1r-e-oVRE}RwDZ-UPAhxw8>D6QIm3G53OvA zgbF!BUKwbh@1B+7qj`gRVMOkvbfwHqp+vr##HzM_IK<08WFf8>X+cZrF@e z{i-Bf?uY@4>!sM^_HLo=yzAVJsMqs>ij29g;!MwKS4gQ5WG&bn{b%A{ah??&nk6d` z4}8mB0}C@AEt9-73@QV))w`=a(V)>PM?fVtBec}s>u z11kDKNDYyMh#CoFDY|a6}97BFLR03!ekDdN62w)nD=RrJ9JGnGe+YsY-CVG&0~0=_A27 zen3i)#`$Qo)iWMf!}$a1^M_Wrd~xg#6k`KB`eJ(=Y8ZFh2tY7LF^gvWFt$_+m?zEA(TStWX4;|>jI892WCRgO zQX6TJY#5R9r(@V!|AnQJZg)RgAC}JsOol zrWNqs?lh3hZ-r6^PLQi;wJ!#kF48iz%=>v(@;9d7BE-WdLGL4JEGEMeMr=<{3Owc= zGQbNj2p1&(L%9W24@#n^fD}#OVklxVU*a5AEJ(ieFcb5JLURkm7M;c%HA=^ zvaM^kP1}{W?MmCuO53(=R@%00+qPY4+vcs>=Y3DyefK##?)PK;Z8650GurGiqCb7G z>^|k>K5lIr(>wwt_s_rR{_y&EJsP3?wtuyaI~zy8`;OXz+h`H`<4jcnNy66h?nNX< zgsP=uJ;E-eVDU`hJXH^rFv$^$8_-Risj4T4Yv-1MKbhy__Y0Qu5IfYk`~#*Nbo&XU zGUTRn)S)ErEBIFcWJQ>w@8c>3k$tzQ&;c0CYOQH9NOZ%AiR&jBlgJW*cO3Mq>kcAsiW>o(J_u;C~I;`)l< z(mW0{J}*8!AS_s{`nih||IvxXqv;eB5Et3iXE|@bI9(F!WV&N!k6)M zwen$k4|{+74DA|>>!&=%R~xU;ommp|1#>56&x;tR#3&3;k}UA zgoVBtY0~&WBxOIg^XlvJ1Pen+q?mFc z^$~HecdEKmCkI0YQjh123E&^GOSx)X0H4fIF7`~rxVb27?a}-X5fmf9Rni}A)+J@5 z$h`5UT^h#4&kaEO=*QEA=)F))g|e>Zv8JD0c>HGe_C5lfOT5*)#IqrBx8^-XypWIv zAy+hN;EBMDXKnPun1$iNUZzE20Jp+@M=ue+R7c+o(DwV%o8W_YBcATx*At|H@!a6l ztbV{T)1SedUsbBg0_V|UW9K=jKCAO4-F}|Tg~@9BIy#$(g%1V|jhI@TeO_d@?oE_` zFv6z{DJ}yNO*G1~I`;QGynB0?^kDa*>r2JFH@UcxVmLTRs*tQ_!iK+` z6rjH>tZ9iZW+gHsoo5mRqr`spLkm5cLyh3ErYcHWs(wK22Q1E=l4+-kz&c_3lQoO> z7F86Sf>nBa8;u4J8#8~`sbGKBoVx52zU95(-)*8EJbAz0q_g@$S);$KK}_15oiiy0 z>bJB8Uyunukfr9m2c_6afr76RQR}YhXcEKI-+URDQt=R_*ob_h??c`svD$<}w^QeK zjhRn-gfW5Qwa3#IugCnR27O#Ww9X{K4j!s;XPG5|h#f~vt*X5etLfw(!9J>otebD8 zcrM$o?yBj|)zc@7_AHPV3#c!Ji7nC#SRGI1B%+gPro^oLT^E!n)Iie)zO3`$%&wM6 z#Js;8W4=ZDMuP%ZZPSmYhk!Tw$03$O%|0gubcJi+8^Bt?nOwb;Fa;@P5V%BGb2m_f zO@`=(+j&ZZT*?i2v=f5gK-GMMPonKqXrrl%_?f82dUzcAq(M|hp7#ePd^}KE;R@X) znZP4#2nCc*QtT^4Q}b7=-O3nH+S>s zje4~wwdsV|!-Gu%CsAzkH!)nz@}I=(eWASJUGphu6M3>dsRdwr zG`RqXtu??xp9-zD$gzUS;CMLWV7LxD5t$mZQBPPtJSU0Px_B4>20xpQc=SwQ1+`i9 z$U+Sj3kdth80?iXl%#e>y-5|w5yG$)11uvoAa*aj&7Q|RWr(9}8Qtqz(WDUI(XVo@ z?rU8g_9}&MSw$#kYtiy0;fI0;icpW{29r4?3J+QO9Z82z=IFT_9ze(26f$(OG&LUf z8u0qi=D}XlC60aJnrz_NJT@Z9dSx5R?cNU~Er5J_s=4_l;>BVG7nbLlR-ihVsfaO% z`4+-k46+RWrV^t_(kltQLv+(JrF6Q#Tp-35?fYR^x!sq&Z*|!&sO>2yYbiHb}ZX_rGHX6JbR66)v=8w(0dVj}irds}r#vDJY zc`mlt$zs7Khdud0ZzvvfSP**O(4ZuW*_vHl~yaV*Bg|u5|a2A-kM$CDYQS zcb3@8$t(?l0+Nh0YnGo5KXb#oue}$)ySsm<6U+#>qp|!ZeW^CP_{MJz9}c|Rc@81Z zoJpiA;bM{rq#A>hk(1ydpmtn*&_D|kQ0gZme$VRQXL!zypf&*$~F zwh8W)DffPT;k=0GcfP@Cx$w&UulMTOL97}PLTxTXGd``x(eYSZq@g#>RG6g;!k3~{ znOk)=%xWpQsmyQ;bsv7oQHLMoOEVj`lyHZ34LY)sz|SPl;61=)o{IesXVQ}kZ=j|# zjyymLWqx$M6V<|%n;6~WttKzeagPs=FkL9#8DyLni*@=yi6lfQlRVf9f*qfl4d?YK zb5lHTz%CD`w)rBkZ#78KXoo}r6wxRn#3U!N zuPwmS;kELwshy<*$<9C&tatOoos6x)VUTT3_WRRJL3~lSu+s(1n_cF3UVE;S2wDAN zx3pkJubFz|?nuI@+YlohO6-pk0M=O+C`-?_+_Xh|vQ&^-?Z{hKLoCaj2xsNom${Us zKV9}{CK#aE>RWc1xR*mg(0?>xH9+SZ)YxFMNe^IzDIYL=+zd@5-c@9qOWUV8y}l6V z+blNg;i{_V4byl@$k=;Z7iO6qj40iu^~v|UwB$-Y@$qKVDwrcuFbr~R$E!~|e+p@d zD!}r6jr7@m7g}=dT5mSt&Qzvgt^}@V)j+^^u#+2Rx;)|`P-78BkSG%^M%>|?VAXPH z71)`^4FhgvE=o7!Uj)9y%@zk`2OC;{?(WzP%Xeps ze?LP0!A=B;nsURBVptDcGpYorw<8Wukt47*@c=%5L;F}XRA)#nVKM|*b3He=kPR+* z;9$mSX1kERYT*m{aXOvQ>PXtEvfOW@5Nw-k^eE>wvD)~w!z>pMnTubGILLmH_BN`A!) zt^4{dZr#sWOml7c>U86(+#sB|W&4@GC}G?HP`|F+kmItJ+&}SC2pN8Wya$5xUFk$k zUen?-R2k1X@a4KBP@K{X!b5~UPv=Je`4&_EyYbWiGJeeo*mAh5XmF8MM#z|8$7PkaOG3Glw2Oqn2iES*| zf#*2dZxE3V)Gom<&n?;a#VfdH_HSL@EVr$En1zfL5V2dRl z$xA0s(ywE`g`|8NkWM(-I9nz~DD&&gxdT*$>{zC@pY8c}m`>q0ZX!sA1`0IRx|DbL z>T|~*aV3jw8>?;GUFTI20nx5O2*JIoJ0e}&IjA|(r!&DttBpzV`m;ScN~=Lof!pp3 zro2{oLp#+x6W7$)oY;I$hr!<|!& z3M#Iu9#qg#i^f()%)K|l$n2O0b_SCR)4{G9tnvVf)5{MvvQWlx^BS+LZpyJ-S2K** zQE0n&8N;3-i>@Y;^+iPL_8U&A)^F=KfT1YB`qjb~zv>mpsGU2JDH<1|%1N|f&myw0 zN12TzRK}fu`n9hiGK%79GP4lroKq60kaW{%wt_*tqL882be8RYEoozOI9*XaTP9cm zx{_U8ZMnO62%`vvxU9#v5g#&BF@bCQRN8db~L04tEk?~dED8L z;n^eKcY^c#9No?d7VU*;sC1gWg8&bH^G1FGY^J^ThgD2{$FpC!9|uo=jI8WXpF;w{ z-u08b_zct_^>Fm-B)XX2op+nRXv~*D=TwXACaJpEOo%CvqkQ#X*3nI_wPYXBpq)iZ zzy}f6<}|8|qTso1-S9Z@^>l6OdD8?)I-}r7?w*C7_P*!^rB}$73Ftvgx56tEhZB4d z6c5{h7+c?bnk(kTTuYZ}0tAa?TJz@^$sw-Aply(3F5%){L<2MlE3<7sGfGaPF4yKO zH!S$!h;W~M{le%aYnJ0TP8uFGln6`OyISeqZco)%H;%2V*}iPEq;VmJOauDpiNOfo zUrs_zrm1Aw{5aK8{Awo$P|H8{=4bumW#Fgslex-Vh-HOF$|-95AcECR((jeF0%5_^ zK5W@fn=kBYlqh-xkd-0w22pl&RDs72C#iZ{RyI%aMgTrKG}t3JenQ>M^$*O_zL}#6 zF^Hb?DCAf++~vtOfEiS&r^$b-xzMc*Q%_I#gQt-`lgx(D!R?#0h*kc^>`kjv8ezH|S&D+0Ey@*kzl<3(BXnspj!k<&Y2k0-Lq%u$rQvGpbaD^7`@Cq+Zj1p?QzR)?s6! z=A1MLf>5so!sv)IDeNPLQsLNw!NYXnkwMU)e`h8SM~-TA+5bx_Ygylin&A*RZ-ORV z!7Anw4Z)lzHEcA9MMDrkMO~e6*2Y`cwv$_E?;g~rq4@ZZ@oE0u_!)m0zw__LSH%6V z@lopjxADRM)c7Pt6hj^nKew8{;tWid(B*3{F#1AujSgh?z_zyU*>_BhBj;RHON_K*~5sJ67zeDq4@=+9MKGIUll z-R@e#qeVoV%CH^@c89rj+v0+sfJL@@0neKrTCIWP-EVwgxa*Vc>y7U;2#4k3h-*xD zCLq-(ZeXMY`G$6#dN55xD;_~t=cn~Yni-M7dtTm zr$K16M&wa?yaC^9?@Dw^QY+CnExei(W5dRsztG?dS}!DF_k6F&+Y;qG7U?J_^ui^Z zWyvzD^kVvjnPz7DPyz{lg3EQuStU2@O}5vA_CLV(!&+|3ASn1A{ptD&B3ZGjlu>E)!8(8=83-B>N?B++@!Blp@E*TN`16pumHoGpBoOD5By%o<)Aq8%dcMy0r07CSzFOe;^RZ*_Mr zI-LpFOA(g4pdZ}218`+ik$NM6p--=64MIiW&Ppv2KW&`4BVtF3j3!E}aL=KYfu6Lw z{<&)ZyLzav+!4^ad%wZ5-%v>zX^9%lw!*Sq7`_F+DzP|*&GRZXV{a{U_f*#cta%tx zj?!ynUHU^(FG6E9I6EqeBEU~AXhK0t7ZXLHb1n8N;l^r8$4h%f1w??7Rw;glFeQqP6@ic*J^u5|(8%{o)QMrrm~gc(a$4)@hF=Lh9@S;EG$J;s$;0t%rW7V}9Nk$Vj@ z1aL*Wc2CVb<_VxvXQ2S1P))z+a{B{cR@mUYurqFD0MT#w2~PS$z(hVbWQA?MYPHx@ zx5g^EK98YZ^}ha887T+PhilT})!5{Kg{fjbi?v0RUK;+mcelfLoZKOAB9=7+EpQF; zl_#Suk)UN%m=peKKx1ol@G%2lWh?w#q0lb%6qDuuOGVlP3?&SA@CX(8(MWCx(Noe-*xO|MU zPJE1)sQgLI!ugk3_O75|7e<{=!VYSRd95w$feHa=)R?-rJqIJ^?jt=@Qw}%b<%~}sZY0mG2jyWQ} zKxm{2@Wc^=AgVKtVVZQ>dR_T5i3C93MV#CF-=m5;dZy6Mn4Ic5Ysh=YDb(q(_Q<=D zIBt$3$u^-?CQlR%sF1tKU>^|qBG_uT?qtdw8OTMkvzq5W36pVPkF}s<*y~@bU>H}Ze7Xi_xw&dp{urO` z-;JO7m+?FPZhW<_{~A9h{_n;wPdEg!@pGylIFKrd6q9Lk8Z`k^^~4(qo^mV4uC)Oo zDBkQo%!=`pC*=HWy!&?4Cr~XHkm+&O(a?-%IQo1!CH%b3uwT7BTs(L(S$sN;A&4N^ z%s{tqxZ|GK%15F>_oA7~%8iw=cFH9wV~Er#3JMOPDWP@I%Qdj&&Dd2_3)5GgphnE- z47T`exDt=>bJ+M`p8o=2fXRx2i17Si12pPFnDDmpUROk~H2&%+9i}1e%Zt)?b!+TK zd}dO8;o-HZXJ{Z5K+cHlnHtr1Ka%@|@*yFd{Y15{*o%;H%j=Qyqx$Q6Hs!%o%_YI4 zaYEq0x$p8iI)bs9hU(n}vs)%pN@l+ew!n_SB~({g?*XZn3&dckCiUD=jbIe>uuop$ z7;t=8pR{=|kv}Mm@GMQrR9i-3kowBCd~ml|tfad%ynfU$V!lO;f606b1moPMm__%j z0c8hg^vo?@_)>-t4Yw;@+Jis_MgSZh?#tG8U|{8N8-lbYUt!ce9AYd8zuoV6({7h4 z%}sBebP*1b$aXXIlpdIX$An6K{)^m0QASgX*e=Qpx;q8NGj%JeQJ;SXi6;6jTsEW! ztH~g|45f9)tsCIaCA@VHf(iVo0W|E6ZE_tRLv#@^o&XadXWVSBIz%u>J89vKgS-qz z`9%)e&V?hQpOl9K<)q7dPBqk;?Cg3ODwR|dg!{m(y z+^h@37U{MVbWAc!VR)nvoW4C3Jc1uIH|NI^ShRgbJJVAKvH>?YSM6JT-!i$rM@K4! zG=AkmRmp`i!|@U@a-%rcbM;^8@BG>gj@J;NMlK5-CkrlY-U~UHCRqJG+NBg#pqU*w z1WX^oP}0*4zSP*>&ID;`%yV9+A|DKDKkzbnsT2f5|8+ZNP}rsIijug>1+}%ilR_vO zO5TuPNLJiKW0~`mO|%IeQYKG35{RSUSMnXrN}G@wcQ6#E#}x`YMe)pXOF$91|HQWU zd=xq^v>7IXFOj&-Rfn#>mgTx;NgS`+!FCwG*Jy=w5pLM50Oi+A<`rdwkxO>aOnR7g zw9ULI0uuOq1gG|1I8ih4SANGEkFBZINbV#ZY3ykc9dVoVW_nO)eCt!kU8GT9e~Oa# z01YM^QFaiiY2xpu9NgUh%ww^@HvzyC{2nDxV$$^UNT%v-Z=UH1o0&?w883ssZG?-_ zxMmzlk{HqkpcFrQvNwAUQ)!Pw#~*zHiA^{QdY4erFTM7G0vz|1YpjASpoF^};5+U4 zx09}c$aVnWkf}q#{oC*9Oc6LZ{;N)Vt#0!~7?@4Q@w};EKU#?WTdHN805sfox2VXqwhq9ml*6!W%kA4^B)&x^zuF_!2-#H7w|LzE zJ)Qf39+W441dda))v*TE4L1$J4@&wFlBZSN5mJeO5LezwPplpl9`0Sl<896&+lSf#j&Z}_=d`pi)jP#O*UC& z6YSojbl3t3e5G+SRhKHNK7r5Q&~(@Yc)NzBliD1UJ>Ajus7EEY?(w|=H12c_Q-oG) zDyR1Uhw-!iGJgBtjjyBqU*p@}{oVMVhB`ByQkf6#{7jTIGvdJ5Dmo%7GAYy4MQl@7 zxui!tqG<-7-YJ6sC$B*#Y3)kZpGvDB4i&b{<*0=j697$sRy>YW!lqb_Fuy{tQv{@@ z@G|Ek++bYCoN>{1Dbi=;{ZRx%vRh0UPIjWijD8d=Cn~hy%GUNftnqCX5;?HHIe9lF zjxXfik%G@{5B8dp{$y=f;s-0DaOE*>p<-Og5(gK2E`%7VX)`;v#nyMo&kuBB#dyh# zro24u0ZGZxkAFQII;qp(XLY9rM;t!(Ho*yW_FS}ugbvmmu@Jgs*=^(-W0^)5`WYKy zbG;|^Hf=NSTe=Ou-y}B$Wgyj;mb7Kk^_2n28oeor<@4n%gftmnp@e2J*;|yX)iv7( zK1nad>1jD*9|s=H5I$G1GWBG0QNe*(6#1gF#W(pFxScR1M^|$fz;&H11_LHQ&q|Wu zI_cHDJt&PizV^$1*FcynaD|GT7lJHZ6izv+{-8uoXz#70sl;RW+`}?m*RD?>v(=qV z7JlTd-yz20rW97AE&hniBB&^hqY{_o4Fbxo5ZQ8?@n?pY(p~skw@c>pjXhr&QA1UW zPRhx8s0EhVy$!J#i8y{P^*mrF3R2#WPiDq^}p zVo+~LmGxK8mdjPoYC3JV&O%}Fiwb9hZ)9)hl9+xmrKCZ}tP z!+0r5qFAx1iORf^8ZXV1)fIbgtZoT(*j1saYOG069b)j}sfe|iqcd)~0*DCL`oFFv zV?qtV$6^zR_&k$DPC21Ir8!l4hoKmP$kPow`TJAd|HLxn$%vWpD(Iy&-(nXUY-dSZc zD1|3YY#haBZ!s;q24p>!_X%DYZNVU@;)`ri9A?GS*Vd(aE_M)C)Xjic<;~p&Qf*(C z{xl6)4^^LXcR5r0l6R7HB&LAAHgwT#9_?QZ)0X0iscEBRQ@!o#>ueDqJ9{p(;BHaX zRsb`*t8vtwjy)p9)nKD}-g$PqXtl!^8U0n~SxC6={gDTcF+Yr8k)DwP{rjFiV^Bd7 z5{i(ZaRSV7hm)){F>Y_oyE|zfPWQZz3E62);&qHyyy>M+XjNQcxmj3 z9!MZ5^ExaExsw`wRpr4c0(H{~QQRXi2Cc6#Cys;P)>@c_30w!!?s|s!Xxba8GHxrq znV9wqMuM-p4S-MhCN1R}4xwP)EhP;PbXIw`2Nwt9YG2q`fG!-W^6b$*Fby}34~UlVDb$X!mEW(7uCxQ2~bj`b0g*XV@QDmF(;uc8WwAI3zc z>9zG*$M+L>Q7_ooXDzTt=zC2+VpAJK(H^K;+ugjZaVthz$m)Gp zII$8OvuNbV-!uf3oS)!I6rRhO}3ie6r_Ay?WS#L<+(iKYoUnV{C%x zh&h32YnL(zY^g(0tD?%ydEnG4p*%adUQUNhN^B4}@(2N?T^Pt~5~THZDmty-5dE;~ z5hQiw%PTx|u6{R%%}i>+)BuVv*|JDK4d7$nKMvO>TVgnQ_gma4U*9`J#!UjqX(kKx z+S5=#D_jz3M*d@b`hTzSv;Q)F+ux0E`1xPsKk)wD_?;eKs^em_B4Ti;?M(+vHMo&- z1H(NtY`eI{w?ZsYtuEs1q@QETb+8PDED&Id^i@7T1%GnE_+gAaIykc)P2O{roHg#h z5C-A-RlZZ;mcoMpM8vh+O&s5KhU56A>OAi`!f^l^+tku*ZBxMtc(}!QmCP(phk)CaPg|H)ri;F ztah3R*7!Z6#J+?_3ocU8;?7R}JB+1wxGv^y=fyp9klD$Wce&iz?6ktKfZ_#_Ky2o# z8Hw?{@oU==NDQH^Us;4sP`f~MM*C`W2kgxVpp#~)_F~9x8NxWO3DF1b z{M__sAu;&uLPg1qz^N4zFJC!IoeR%xg+B)@e>!*qds$P7ZUIiBrmRuMbR^q&dxCqL zIRNVr$n)@F@Q3%1I1~BD4_H74ZH=D6PhHTSc5OL?cFJSfUg{Ik=BnVni7d{tIx9k~ zleq#7gx8n{Lc!|D3Dh66ZjKU>J)wvomvDs6e^Pb<8A33y9I_YIf}cE#g85%6U%^L$ zeQY04jc|w=`}^C@nWbv(#EwO{n||-gWxUeVSy?LT7&gXGG}i_uCX{C$VDWoMv$fx2Y=*+HjBNZ=$8RhE(m{{?PtDn7D zDQG6gQfj{nIN=LTG!?8NMv_ZYz@ta$TH%b#yI}|y^`aoa0SX^ zCfQMo9`j+47|Ss>CoWajPN6ikLhEc@^`Tz%k`PPg@)8}_Zp{)L;8~jkK7>e+TjY`C z#05-+v*1$C=w~v@faFJ{Evt@ssW9JR$d9BB=9G%Ax-Mwcr$}B%4&b~{%QAyzZ#Iz> zRgnBodiU}mt3cTjgc85UGKtGIla8$xSa9)BqihW*GwMs3y{xx>D}m&?F0ZF;K2R+dt&SgfU?f8~iWM2>%)f_f^pSg{zHHf&+(vxnn=w~|y1hbi ziXd0C{_;3WFonbVJPZ|x>m_S^263VoHmsNk^m%R)tgp07V>W-X2lo<;uPuqWztNv5 zzNN~x_SXub87FwH=b448noDde*-d0LSn|^DJUWz8H1HuQc$3lwqiEDj2&@9W#W&2Q zRpF=|S5!EJkAPoHY_n5F#qIpL@b66DfPtQaBXaa=?CQ=VBEgXijuM{W!kc3T+tgN_ zPhO>vswXSk*?|2Q({r&lzhh3B7x?l~4-a&u+B8N-G>Kz~JQliE8M`SicvZ^)lqIV} z`zw`apU&_0|B(4=$;%o7b=sP4V2xCw%TMF2!f$qU)cy2HXm8g-GRRqJ?ps6OYrF=C z2$y4|#W-B_FkI@s2B}E(-$$5cmIQiSJay!HM6&sWyHHQ9qA>`4s*Be#g!U9uyuG8E z_o5ZRoV0@zaU8(2+8iD{{al$&-{XDnNcqfT&MXS}Db?<7k=+%5?vKes=zwwXu2(u* zgG&&Fc>MUdfnYz$r=?ty^;K;{@IU}VzK}4r z-N_$nVXg{9!A4`ej*X@2H%-Hb0QK5?kxr3dk^@mdP)2bVL{%Q*uwOo~w+(QNjGegZ zSP>tCi;ntZa&B{Tu*Nct(sQWh^pEiw|K0dGe;L2^@5VRJ`mgbO|95Zi-e2eVcV!9E zge7Q1d$`ho3oV+0{NZW#Q0QTvi8S1j~`WDEs(-mABJ3JV08p=uxZp*pHHpacI zlS6b4dp{Y3`FF}tBF2QsV7%`Xm3_s9%YnYuv`jYL+N6y=6Lv4~JKrK#{P7GO6b(!@ zi&rravT=cDPvazhGE~6FH0z7Z|7`fKqBZvc@J%H*vZ3Lr^Sy0tptz)^Yw~D8?#Gki zNwOnzhhwVRe%3o+Q?`tM>N8Q?63NLzN@CEQ9bt;TIztbN^ayy6@$ORC&>kTz<8g43 zol*s$6(%{gP?c@VvvWcl83Mo>`E;-?UvdW_Zy-@?%koLSE|a&izLS2SWKQ)iy{2?j zT?2i+Ay9QG4v-4IG06U%Kp@jPm*GNQM#2)1C4Pb69Y{&9Sm+K}5UK(w9V_$tQwsn= zzY*ck8}UpU&$cwAhW&;>Fnn=&^rjADnrCS8b{106nP(SiY`4D^S>lgIg#?+ry_ZUX z-{ZkQSEp#AwJST?ogB!%F1R$00m_Oab9G>jC%EHKSK)4b8Oe4{-dWzzE`{(^cK1hR zaas5jOKixE3dLp7%kPFZzVo`q7oEnp0dg;dWt3(~A;limIpk6y-W(nrNwz~a1mwu$|$mzb)kV3kO zGEnonGDQW;sC^f>aVBVE1{j4(SUN>(a0o&g*E(seLT^1q`bFdGsgY0&q#4$<(&i`Su1t< zJwxvXUHSep^W2nR~~y_+U_BGM;r`o=z^C+$+__Cq#RQ~ym{jz?VK3PWr5r=zbh{Di4? zO;)SQYiGyzlU`s8*`Oe5IR12*q8(^h0?uHru8 zqNaSA_L4D+4R6`{I!qAg6mH;WnlExdAZKUj<1Ikl(*Zy(qLzufk=>~^YbR;#2DCoP zB($`zDhA+enFXkmxKdBE+2Pgcnww{c`-y$l)TTypG%7}|hF{_WIsyj>BzLh?_Pe7> zxrPb*9p&y>W-%388iIk}XGy~H6P+gsTN$pF@;12_AfaqkF7IQ9{87pctlM3hP-ius z){Z(g=XHN1=u4VO0UnI^iulNpBXLMa8Tg3!6Tb1yYfUDd`Z5T*IJzf--vo$#ZPxS1 zs1k3X=~b&POJ{EyFSw*+aper#YHNN)bJZ+T&; zt*EZ|}nKg{}})KzZ*aIFXOlT-T1aV z|26)V;@@k00wQkNl;)Tl3?A6Mbqrbm2fkqL3RwIl}j3* zc6^AqZ&uBEgazZ0Ck^ylT{#Bpxj`wk+v)wR$+L1Lx*TA%__nhpeKJ`nH6qLV)!N3= z-&_jegy2-UmrU5hB{nS!z{qKuH9%EwF07u898>p@`|}@#SDMkyo%Ro_9Qve%>#Sp+ zR9H{BGHA!(0l{fl6fdS z;HkMmF`{r2#{usgv0JNs)C-|vU9A*CAE3h6x(!vG-@}3DKf546Fod-A+B_G@2Ss6H zYJ3QAem8Vlhu0#ZJHhG|;NCkH%r?ujed?fq7@VXFQlcN&k8=i(^SGZUQqxxg5MZIj zgYHlCmqCpv=oY&oIt}bC*VCVpQW;?oS$)Ba5?(b9Nn3feFc2k*^y-~$q`?+3>Go>! zEK_~=jm9jM@9r^;Jk(;1XW^dEB08zRYQj+HOEDclqe+zFiDi2Lbj7*xbtsH5t}oVr zXzqU_UDHbR({BEp2nKV)(I1>Mh$^_>{BmnjaVvw{c04D%iR@^Sq#<8Xt;&zZ+^6T@ z0(i98nDQ)lx9d-7HD0WPr_wwBcn-;H=2H&Fa)()CGoI6=7zblQA{&=X{(5FUI@-=9 z;tjoYhg@7o;7!Kww={F=fe-$CC&J z9s%{NbTm)}G<(a;CvpOriqcLT?mZ&EdoKdRP-GKlz@@jO-K9?SEdtPrfMnR?`n!&1k&uD#-z=R&{pms;f?;_t)j7tg3FhX z$*oq6GPi1RTI}Q?@N!geS!zHV`Oo*1F5;;Dt|)hcxrw0w04N5g*w+==RRG<4#k{>w z_F|g1*nt;0l%C(rTMXnApN_r*>M`0_k}@ZCBRvBoV0JaiAZuZg8?Rbw>BFRnzdVJC ztk*|$X}nO_1{sW!BOOP(bq}XC0)Cc{fjPZ{8abbxzCT6wE5f@?8;m~u5JP*8PJvFb zd+F?2-E~3II0xg~7)J4DuYHsuO~Uwa_UA*+CiUBUa3z4chy~fG7+TblR)qnT2m)8B ztH%y#U`9h`@B0Qq){4rOJ-rB^TKdX{+H5j8CAYf_Ew;-|v&;5SW33sk4ukgfiCpKwY*gB)P%9=~kDA3jLquF% ziPW`U&#i6->}zQQ!m_1`^S#oRPUck#u?-4AQ~||Ci$JC1=zDSi0P~2U;*b}45h|({ zBs{e>R(hBkO@BEJ=37>M=}{s%u~cY_XpFBQf)OuPKgsK2>UVkA&vXz8b)Y}SXZm;J z=lx~;=D!=?Y4g9vN9q2%@z;H@6mv{J2NT~yAoukKO@T&fm+HoZI~KYRN`NdZAj_%M zd~{7j*fi3S&o4GcSI6B%QsXJ7CuI?o)L+V0IIP^lM;LNqMSV&qrEml3wYkW~R26@N)AX z2GrWxGI%|dirhY?BB_94r4&5Z80=&p+X|uI{xMq!0EuzPbi9v#wG{}O4 znXE5*ne#9e-EXcjl9^ixa|lxY6zA%l`v&|d_!Zy~!LjP4;>e2OHlpe4k!w{_4vhtE z-P`I@+Mb|aZCPjI2hX0*HOG>>i-_xUwF{O-%|qU&rWcEpy-mydi}d?U(eiDj>y`lb z2KRI7)-6M*g!*FLv>Lo9gxLg?HzBUL{8sP1(pdKMZk%jpLCIUCO^L;bEa3*RlHx>t z6D-!UI->-7CDmH|$*NLn1HpZuZZx1;M1O0J9hz{XP#$i}-V$acDvwae?%PRg@BNk~ z2xQ+2?%rxK>NAWPVKeK=YLqqyS>$V2S#?=YqU2{9_4-wF&1e}}8YsVzEnB$!Z7HFL8FC}Ee`lwkc#`4w^2t~@zsNgw#chx)d z0dlt%L|Tg=aP^|_a9n|VhDv7v`Q}N-;9wk-R$@hp&lnMsA+n7|xKJ)?Mp(tS^i zUUf`LT_TE54hIN3GLTyYas8P7WLs_I-u5<~B;(fKL*L-m^=xZf-IY3;d|>pi^NqtD zM4`-Fb#~-3*JC3#byfS&(hj5iLsrI3-wKS%UJFpwv@tvlz*<0$m0eT-i%BiGb~r%W zO-7nFXEz`PUVY4Q4Cv-eMJ`+m5qUm1%b|!v5oDl1qt5p-5jo~Uv;}r2CpQW!N~`Nj zin3v%iq;?yNUVq&;krhV%<==g68&8W%qf20W**Q91n|Dca~hzVB1_A<9H}U}9x2R6 zDDqXH1D1ngafLp&hvPtqsP~1vXnVzg;ik5&tzFQx{z{hMrr4=;KPx!hu`&)uy8Vde zAK(H3^+~FmG#-GGu;Uo5Oco~{Ie%1-b#7x7`aI&WfvNLvteE_n@3S+arLJ44&=c?zG%jV!7?if zb$kzHxPqZI2#zFXXj2amjwn1m^bXUEW&qH@vw2%Ay z?Kw_@`u70b^7$=oJQgP29~1+8nkQ2Y0?-kPu@Io!d7XsHw9zm1E3!zq0oweT!lhU9 zXeNqjYUN!n=le*&)ppdBSQlfF?L>>Ii)TM3H@#oX?HEF861~1zgum@~$Ib2QPdE<2 zEFGpzz_dajN|?3}devBTOLx6{rNWwmg%6#>X^~e8d?>{QxS%YLY$H&erp!0TvW&(O z0WQ!sm267@j2ibQ#@Wp+aN+^6`rIJ9e2f~b-xvd9`6kR}RBizKV*wy+ABytisO0x^ zXx~i}>yXOi;dI1CXWEbiEMEaaQkwD2?xNK9m9^ z5J(62$N0>@jeq+4Cb2)i|L;f^fc3rnKgI{B{=4x#y#F%(?~yD<|4E7cPGJ3Ys(BKo0iMY=GwJk85u8_0Az8|1s1V;lr-)qXn;+o;{`HmuK?0g-%AMhAw6=|jH zsB9o91t|ulo}#<4!e-U*9B%vvrJZRD$?uK?0Q~=SBv_`l8@@dWmA-3+ZBO>Ta_FM% zL2p+<^;!Pe`On`w|Gy^}Z9@K}*(~h;nPyYO{gX44{BsKzAOsY1SCrhJ{MjF3(7zIA zPyY}h5&q9a1OQ3Te-c;zm1yyML>eEMjp09uI@*8M$d~vxBKV&*{yS02_7Bl3?4Lx# zPhSKC0FLzkDG|x*4{^lnpF~@pKWn7>&y<({{EvUFarIw!&3yicSP1t|qSNMYq8sJ! zhx-3|GXFn_KbZdzBL@FT^zi;olp>z~pAvI^cRcWcacKUN=t=sUC_?<7OKASP>;DHq C-BJz! literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test new file mode 100644 index 0000000000..80a041c316 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) + { + print version, timestamp, signature_and_hashalgorithm; + } From 59f0477d29b168673b0e706fd3f458bef0116f04 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 3 Feb 2017 12:29:22 -0800 Subject: [PATCH 139/288] Implement ERSPAN support. This is a small caveat to this implementation. The ethernet header that is carried over the tunnel is ignored. If a user tries to do MAC address logging, it will only show the MAC addresses for the outer tunnel and the inner MAC addresses will be stripped and not available anywhere. --- src/Sessions.cc | 27 ++++++++++++------ testing/btest/Baseline/core.erspan/tunnel.log | 10 +++++++ testing/btest/Traces/erspan.trace | Bin 0 -> 117979 bytes testing/btest/core/erspan.bro | 4 +++ 4 files changed, 33 insertions(+), 8 deletions(-) create mode 100644 testing/btest/Baseline/core.erspan/tunnel.log create mode 100644 testing/btest/Traces/erspan.trace create mode 100644 testing/btest/core/erspan.bro diff --git a/src/Sessions.cc b/src/Sessions.cc index 9361b7cde2..ad82f1c736 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -431,7 +431,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr return; } #endif - int proto = ip_hdr->NextProto(); if ( CheckHeaderTrunc(proto, len, caplen, pkt, encapsulation) ) @@ -509,6 +508,8 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr uint16 flags_ver = ntohs(*((uint16*)(data + 0))); uint16 proto_typ = ntohs(*((uint16*)(data + 2))); int gre_version = flags_ver & 0x0007; + // If a carried packet has ethernet, this will help skip it. + unsigned int eth_len = 0; if ( gre_version != 0 && gre_version != 1 ) { @@ -519,7 +520,18 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version == 0 ) { - if ( proto_typ != 0x0800 && proto_typ != 0x86dd ) + if ( proto_typ == 0x6558 ) + { + // transparent ethernet bridging + eth_len = 14; + proto_typ = ntohs(*((uint16*)(data + gre_header_len(flags_ver) + 12))); + } + + if ( proto_typ == 0x0800 ) + proto = IPPROTO_IPV4; + else if ( proto_typ == 0x86dd ) + proto = IPPROTO_IPV6; + else { // Not IPv4/IPv6 payload. Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr, @@ -527,7 +539,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr return; } - proto = (proto_typ == 0x0800) ? IPPROTO_IPV4 : IPPROTO_IPV6; } else // gre_version == 1 @@ -559,7 +570,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr unsigned int gre_len = gre_header_len(flags_ver); unsigned int ppp_len = gre_version == 1 ? 1 : 0; - if ( len < gre_len + ppp_len || caplen < gre_len + ppp_len ) + if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len ) { Weird("truncated_GRE", ip_hdr, encapsulation); return; @@ -578,9 +589,9 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6; } - data += gre_len + ppp_len; - len -= gre_len + ppp_len; - caplen -= gre_len + ppp_len; + data += gre_len + ppp_len + eth_len; + len -= gre_len + ppp_len + eth_len; + caplen -= gre_len + ppp_len + eth_len; // Treat GRE tunnel like IP tunnels, fallthrough to logic below now // that GRE header is stripped and only payload packet remains. @@ -607,7 +618,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // Check for a valid inner packet first. IP_Hdr* inner = 0; int result = ParseIPPacket(caplen, data, proto, inner); - if ( result < 0 ) Weird("truncated_inner_IP", ip_hdr, encapsulation); @@ -794,6 +804,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt, // Construct fake packet for DoNextPacket Packet p; p.Init(DLT_RAW, &ts, caplen, len, data, false, ""); + DoNextPacket(t, &p, inner, outer); delete inner; diff --git a/testing/btest/Baseline/core.erspan/tunnel.log b/testing/btest/Baseline/core.erspan/tunnel.log new file mode 100644 index 0000000000..76d2784a7a --- /dev/null +++ b/testing/btest/Baseline/core.erspan/tunnel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2017-02-03-20-27-11 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1442309933.472798 CHhAvVGS1DHFjwGM9 10.200.0.3 0 10.200.0.224 0 Tunnel::GRE Tunnel::DISCOVER +#close 2017-02-03-20-27-11 diff --git a/testing/btest/Traces/erspan.trace b/testing/btest/Traces/erspan.trace new file mode 100644 index 0000000000000000000000000000000000000000..64382645ec07aabfa8a1dd94f2dcd1c2d3a399cf GIT binary patch literal 117979 zcmeF430zF=-|(kGM0ToaWq?9CmuR9;7<6o=$UBq}IKE1t z@H?OvqRg!hO)Y^wOKpW;sU>s|g*qT0mHy&y0}*ftPDO1tM+pc`w|8)K!aKXTy1DQ3 z@bn^h@AvWb^A8C8^=*h@mMUKcEtnw#$sqWHL2B!FlJ5-C`yd9vVJJStfkJJa5Q8jW zSntJ`0RuCnBN@iT|HK~=5&8=hb;~WjWxffHdLJ1TejE5)zMtEV+)ste{0VfX zP+XAvW}wVP$18J)A&ftRG0boe$uR27p(|BO+7m8w1{5FS0J%S5h9fr9QE$PiLC2^v ze_pZ$X4vsNgQ6lR;UBh-*6xLV*JX|X_W<+-3Z=yG*1kJg?-LJM;^6gys|5c-ximWn zoIdJ_nhO4&1>R*QI0Tl@5jpuIkAzS&W`ZxjzZ3W@iJF6&yv;@ zZ18I+0aesgQ%l2b63Vi2s43tL7oo(!izVfNTH|WI#cK+m)@|fz!2w4X?*q7aA0vv_ z6cq2w@roB>ILV*E3}*Nn$uLIodcnmzh$!9(F~|dkyj=qPE@^X^;W1x^pBEQ=Nlz_- zD863+-&5^ZLH+mwipt<0)dG&1hKxGO{?Dk$SbQoHD5}7msr;HVOE~IvzER=JN$4S5 z=4psBHvwfnYrHat81(rwY=arDAsNOfa{^rE1Bf!85Q73>*k{Do18BrSHJ*fI7-j#v zhexo7M+gsFfQQ-Rd4L#-`7_wS42ejFF+6y~9_R=U6Jk&V4ChIFJ?w@V;*ktvcu0di zJVbcd3_Q#k&jZBJ%%5Qo%y0?GFouWyu!nwxhY2w#0fy!2d_53hh9D%v7#<$O9v&b( z7y}P;$MXO&*z;!~!3=>&hA}+&z#jS#9wx+~3>bXd`FezK)1gK;bB4ys(|5w6<-gaM+6wqNQN;yq{ANWAv_oY z4-3Zg05N>y&+rarkVP_#;lUsFKtp(#FoOpFF5m}`#L2Nt^5X0)Xd>P7NhE+(0F+2pq9=Z@7Cd8lt z7))4v87g50aU{bS9x`ALcMu-*fQLond4L$6^Jn-BGps-|jNu^&_Rxv&Fd+s_z(7(G z;aB~Cff<${8OHFC346GW@SqDkEFRAT#L&y1p%!LXjAR(YLon>21L0vp3|fF8!Hutn zZ!p6GB*PdUvS1H?BRpV%hb7~AfEcL!8R}t%`ACK_JcPg=+7TWm#GnlrF5Tekp$TS~ zgJc-PLpJOo8R20g@UV0|4-i8Se}-n5VK$Os3=g5Ohc<+V2{GsZ2IUIA9@=4s8AygP zJmkP0ZXrBifQMz{d4L#N_%n3C4AYSeV|WOIJ+vY`Oo#yk7!syW=T|>4Achzol3@%F z6xhQ}ga;kqVflC-Acna!_%aN^3|u6`7#_l54=o4}6Jpp17|!YPWnjY$OeDh?9$vs6 zZXi5p0}m_4^8hgr_4qPyV1{8N!x$dGO&;hbHzPbuhye>297Fgql!D0wkPib$hA}+k z!XB<8JZJ$A;^TRM7}EJOfRhFcbR@$V9>9$z@X&)cG?^ff;&`3}bjW0DEXec$g4_9$?66;_E>aW@tk)jN#!G?BOcH zg9h-hay$Pn$uNe82-w3ngog<+7y^d;<9t1=h8aqc3}bkB1A9n9cu)l% zR*&ZaVrV(RmthUeP=aI_!^2_N!&iid2{9M}25IJ0K2r{*vZM216vNNK{|QbxKvB>0 zkBT0h0i*2yj5@(72Po>ZUHoRxO6B0FzQ6naH$x}2fG6urMGIk;*C{mDh}y$`C^?e+C7Z;Wd(BR2qGs96bW3G8K`^6Jpo| z7;J|5dVpt?VkR=91jg}zhsy{L%D}_g@jO5bk^C9p8Kszs%qSg&J=7sQOo+i4Fj$~P z`89Rca9NO%WiduRAas zU!4@E|ju2Z&)-5MKs();ngztoIlmPQe~35gsPQU=A48-Q&vu zZZ?325#7TvJb;NJ;Ncv?gADK>JDvxKfzF=+bo2p(53(%A@NgRT@Co5zLJSsw!Q&fW z51>T`3Ps53vXj(!c|HJP#1VW&RAHH3SS^NQN;yM8h5`5FRGPuoW=GFPg=# zo`h%rV@AyWkKv&d_7H>cAO$?gjpqSkXyDHPvK@GEn}CNiu!nMlhY2xk0}MxJd|z}7 zChtctI&?0Lg&7=?3}bizlb7JSIE(PG0eFxf&jZA85DZj7@yB2|2QxSz8OF$mv#^IU zgog<+YzGV|L%t06U{9iJxvLBq*wz?^N zM#erbfKKZq4XGANa~}NhW6k-`F)HNxdgw(cNHhG!h)+<|0sc`J!cn`CQAZW%&!|6E ze8aK$tgnZniczPaJOB%Hj9OQ2`&kT*+JcMGM$Rm;YSK<}XB! zS^L}s@lPL^J0kYfpRwgYY-hj*9iz^B$LGax><(mX=!HMlzQa!8eFf`;KEvnzYlz^- zd7lRHZ<){DxPCgQGQWR7XZ&!IFvi5-4iar17E(&KIhJqPG27$~GeE zqK)fC!ELpX!8QrB#HMZA%+d0)@}eSGM@PK3pN53Jx3`CzqrIOS!3!NE0I_a9yjy>F0%y|=W)2K0uXv1Lr`y;@_&d&8MM+a)n~$3lcnjz^H6<)f^z;-oC1lOO>Fb$nl~9nC zlU0^eRZvBIPf=D`RuOzpeZ=?Vetyps@8o7Lp$Fa)?;~NZ2V%*s|8))qUXBDOH!l|r z36~HzaDHItl!v_^UQ}cg!55r`yt;y{yo#Evin^?VsE8iH%M0%asn(F#g2#KyU_IOd zz-zJoey#)`w-C4#G{E_om`ZH(*lN1X%52+qELIl_K6I6gjR`K$SED|Runq=J(0BC% zwY5b>L`9(7QkN1&?E`rQ9iwt<&u4g^>qH|mx1bk(udlx6HI&hUiqaRL+SRtRas^5 zBlE5J{r-4gKO=uPCk+WFc}FJ|Wd~&$WxS%2jFO{@BDi71tIDXUt2wLT<($=2)W9!U zTU*OOxmHIZUA^5`u{Jx?Tw2O{_okbB91(cdU^C)&UEm07%C`-9W4! z;K1qzV2w<%HWuLhz^nDJdOJK-?cLS=(H0;a^Z`nChm1KP5buL`lF<#;kic4+LuoB4 z^2@EItGy52oZ#l=w+(Oa38{B;#QTCQ1eXH%PgPDH7~COaYAIvv6+qaB$9j8%A8JZK z<>2On--@?)!g+ZFi;C#OX1Dp{r6uH*B`opY5(?mV!6ywxbqz%|2_sVw7G$#@CQ!&(zCR5=QNwgo2OXQ*V;lXLx$^SRXR=pv?QdGM%(qs2WPWmS5xV->bE{ zkYm<<56u^0Zp{K6p8u`Z{>N5p`cPIIVX-z?V;ks88|bR>g0EQ%aBb+q-!yW;+G7pD zg#}%8;DT}bRR!uPKo^Ft%@$BC+UWXjm4jYmZmDY{@8Ge+Vw0<)s<)Y|iZa?^v*Hfu z0)#G53#@~Mt~VB3`1Tgi1#E$JbOGN7e}W4$7`ouWg>Hy71Sl3*Kd2(GfI~xXJ?6&_ zD?>F$tg@3O&euc5KuzCFO2x_)Yhm!?7Z4Y+jk{BbfsM0?|BfF&G=|Redxc|x-SS(- z0qU5sDhN|h_vmiN8UW58zYi*+KUPSfy0RFf0s_^S3)Vx~Ux9#j2#~`XfT93GVZSa| zP)#Dv{5vl6dApyfwYgNVldtKPU@2o)CxVCic4d15Pc_{ge%=nITm0Qkwk!KNZ+1~P z-U9Le`C}i}*hSYEI$z-10;{KnHMPJhWA%+eg^CTr>f2y(P=yKoX#xFdJnC(J)-~~} zBK$gTl5oeZ7FpN)shLBqla7PxnwS5~C%~OXzlR;{`T+CUDE2=cHy_Zr&eoZZx(wb3 zI)1O=1W$k721Pv)GG0_cC+UlD;|eVr_`U@c8FdkgE&3SIxGKsifSTF~RMd`s|J1(Q zg1tc_=!XyTL%aHUdT2^Gf=0j>@29(BBP|J<|Lz}qO2;T?kuM)W3S>UrzEH1q$+Q( z4z)P{G)$ZD_8xw&mW~7;Kn+?9bG(nQn=jmsK+QTh6CZ!jBl>UB(y9NsrIS|yojFkv zEmzQB>S+17`FY@V^a+mso}f7d9oGQ7lNS2>ceT*)Yecjh2u{H|TCVasI0tu7em`FY zzOl{K%~!(d=Wl!32TM5MC7cQVUQQBP_7a=68W?J?nqbkb(s2d711+?@jusjY2<7TC zuo!U;$W!PTm8(LZ;aT7)L1eB%jq&fTu|Snj4V0^G&|*Y*%k=lwxIW;RbwC$rjm1RQ z|7eZ>kW>GA-|^q_zC%<5N{}Fj8K|S6#G&K&1VIIThNs6*9z!Mwlu7@LZ%i$L?|sdr zFQHHe<_JKWuA$0|hdK`a)0mNTy-8p;7@UDWBn&qhVhwZ+3_u6>5C37YD3k)xV^Q093C|P3A|H15=IKm-~kj{2Qi%_Bj1Zs>6Uvww3QSI0#W4A2n0+2P$9{ z^q-&|MhihS1{FyQB)oOX$eA9A6|)~z{V%|7}YP||D_S8 z5=K&i7mvDeLm3HmLsU|`02O@WR-}YdMk!9eh7u3}Ph*0A2PL2&sG=?eW-5fh@PM$J zmyErWlg}i3A8*jlo`DiL4RC~M{2IV7a03`Qkp}QJEa~{amlO@CD*1LoYo|k!BCC*+ z#z^x#nCjU79V*RqehpylI+!YJ0#t8cs>o4Po&RY?n)#)9ExcYM^40{X-ojKz z|2@@NK(%Edze>FpZk8h_(k#D&sgC@6s#rj^e60{F6kHq7G3w&;to;m^pcv8>d?Ecl z5w0ghgQ%oz0oC`5PZ?Z%=;=u)!GA73p}@evNkRJ@orJ(VC*pBw;0bFG%6>^9)HCqz z&@l?-PA%LYJ~}GJN8Je@kj{rt1dV(=LP64@ba z&VcK+`K46lhf<;Om4eMT5K0a};iI$$LOD9>*(rZe`W{wlh)}8mD-{}F zDM0zxO3$wsLiqqk&@n1CoNB+oN|%kBr5ZxLuu}XlrK&*b+Ue&}lg3aAH5>xxfk_ud zegt)5u*q)|An1b$oPH6g{UDe;CIJw55fE%L=J%|;I=BOUG!#hywE!c^^5;UC32t12 zqQ>%%dICQ05w#W+bVM@$j5@)MYfx0ty^~Nx@HWsfs=U4H&cRW4{C=+R3M--Sv41@F zamBcgeH40kV15T`#hj#@N+1>}1n6T@ptrpfT=o#nFrWd|GklDq*w~V2y=qvbHc?=Y}`P0~ug_p$&hTmpH~ zXf%mW$F(jUrc(NyYQz-@E#xwiF4_pFUWWXjf*LHP?;Y2Jhkj<{I2~6ACuSAD4o2N` z7)R=NoIgl{wl&NVApUzv@qo(Sg5Oe(rOpn^6T%n=CxzeDx1mS4xU4j$7z zGLbP|XvzN^fv{0j-T!GqB>-1yBK+k0_~jK9Zu*WC zPJjwp4nIfWXPWf4G7!KGpACf`2Z) z5xqsYS-1iSIQ$9XU;_K!y^Om2HKZ$Gf}fQVM4$!}OdgW}bP19HLHvOksCJMQ(D8f2 zH2KT7#S$Q2Y+c49n0`k36Cjw9uJp^n?{i0>E&R3iO+ijh0=ETB%-cJ<;$@)4Q9c9@ z4GC`_w*au3N?O9xK1c@4v}=P&@1HBD#+@p>I zNlPfoOJMz7My$~KF>h@GdgL;uV11&q8y>8%8*4q+k5^mS`#`J8;B}!gKSTZ}s{!Ox z)YR0JH8=qwU&jN4#XakB7GXrmb?0`h)DsmcNc#%_kI4RF517ndYc<~LsNHbkeQ`iAkI=Q$jr(j*i@e&2aXWv<(d-s@5QCP z&D9@TPbY(O^pp9yo=yoYsZ)Sf8E8s?6|Sz@XuAMEH#-M6FZ8by0IM=Q!K#e^21_D- z!Tyt)KNtTgswv2U!W9(}kD3ZDI?z=_b!7|hU1oe?&04hQ`%u#6fz6d){jN?uuy@|- z&u2Ey?#w+_*c{Wj+|B5(^(h+;zQ zcnlV8uFg+ddEm}FaSSm`9J7kp(AZ03(hFi$Da8e4es!|%=}p$SBy!>naZhSCt2R_J zkfsyfuf)lwaGIl9+PZ@z!)rg~J#{R4me|!UwI0Z;RZZ>A z5xTf1E1BY@$}SE1RHUPEjoV|-^sd2OoE0qot}S!BMT`D&7I&tqN7T~~$IUT@yigmlsJl7DJ&%Jk z5{a2R8!7vBS7%9iu87O)^W53e)C6-;* z^19{!(48}rq>=fd(b9V;dXKX|lSSq=a;;t3T-UZR+06ip*uCdLq@zn<2~@f{kN9aKolexKmJ2iL!U&}%UCgU-GcUy6zKVil?6 z@Q}Xt;UWzd$HgwJI*BS}oYI-Y$xga#O(2m|W$lu5WW>33RX7r}$6uSu;{-a35zuzT zjCX11=>Gcp`dTr&ZFV}L-n~t@iYDAAYc#Q*kx$d+g(vO#@W_KXFDjDKT0?OisL1!? zhNhCp$;Cnbn7mlaHsLn@+ z^n`Mp(pb~e^4cG8I=^VmauH?}r{O5_hdwX9bjCewpL2tx4zG`)&NZ{S7e%wx3f*2r z;lwtHQR3_e33obLcZabuYlJbiNn9O_c5n#u8hbD>DJ)ro7fy8Nvceb)z{=LKE++EC zk}(5p28q*|UoXkXVQn|u!P!g5Nhi??2&4*POM713EMh8In%Kh10gL@!HTTz{ElQsK+dzE z{#q(2he!9|UC|)*MFghOD*I_*(maIQS1?d!=QsRyNE0)h*xA;UM(wET9n88z=Ganr z+{U)tqEM6B`Na$hF8<}Q%k49wH#vROnY%pZyr(TX?ZW)$7K`INds(;>O|{MyA5J*$ zJeB4=Ff(KEwSth{C-aTBU#PlqC*NUvL1l3GrOG6gzzb`_V_l-oeb^#m;DwszrL(o} z!_~>3VvSpozY3J=?t%h4OQ|-vIE_TZ0cwA=B-pq(t;-iW?(zj0b z)MmKp*lRpcUU_)h^ZB39*R%_+xfS<^y}2=@om6H=ZVH_hxS}rM3lChUX5w|^(r6B= zN{HFp!(KsLX5!3X3ArrMs*r+0C1waQ$xkla-cn=d@z|wLA+F6RAA>CDVR_b(3@|<=u%U z8t;aCje9SPc7vjJbNx+Re#-h3X30Ev#-KSSV}o-SyQI54ari)JFg;^KRFyq*%QAXO z#Vnoq^Gh~$E|6Danb31@#P3N~DtjG74u8B_cU!@u_s;q!`u(Om-YZHc@|*__$A>=; zGoyy3-&$PUq1i@b+Aw=V)C-EE@H(s^vnBhU__v%HO8*ewoE9z1$j|$$Ss=fZ-W$9f zeQa^=z-xhmtZ+l|uyZkTAEere+m&y4K3YH2o)-NzS?)TD;;d~mfA!4M&&4Z(w=5AC z6j(>$#T8V3Ihu){x+L2@N@ah0yMNu&yuL#>s)QF2uOA@e@p?|r77w-9*fbA3S>D|5ur)TqJ#!J; zRx^aGleFNYZR+}EHnwz)sg$r;ttN*h_stDpZaX-Iy#6l!N!F!R6pWU&cez-_$(=&G zTmCu{pm>AIqf6rKvVwit?fqq{BJ0_$+AB+T*@a^gKpG$jdPtdR21hEXE3*T52t6h~8Ev z%wmuelXQZaoo!_ip~(z!o#3IbLsiMR0Nh|wl2({ck5kJKeW;CF$K|$_%{%n4zq6{0 z#V}hz451CRaT1pwVn8+jJy7#&fqn;c{NCqBZTPlWzz2gql>D>i_u!Q!;sO~nPm?=q zLwg#7Xim`~%etUnh2HB0crR!0HFS)6uN~i(KzA?^?LXgZ%zt5Nolrk?|Ik4K_Yd&k z|Mw-6jgrT#4{aa08w`s2j(^*=6uxW0BcqNQ$OOYC3x}kupr|SNBkx)cZU4364cxWV z;p|#c{0Nc6s+!=(lzvy5eMYuk@hQDEhHAF4Izn444p(l&b6I-RN@#Kt3iPE**RS`g zsL7|1G^DDN_n}x`+bP;;sks4VrtF%UmzY5rTdAEby--`t_CQigjUUWo}0@ z8Kj*`Qhk~d8R);y`jJwOR(Hi_WMm|+?K-FxZoP3mrZA!2VcLsV*+%j1yq5IsjUsan zuZi85w88XBfEa6YE_F(u?_dp)G`wFSS!?#P%|~R&0hBOOtIHNr&&r;j%$k>L;|dqa z2rLTo4qb=wMo*hhi>T4P`jFntF7Wx}sNv^b^R${FEVpjj-r9DTk0!4V3WiKQl`A$s zZkOV|SqevVn8#l(H(XUp&(7d+#O5!5Oeg*Q)!6_mbfm126g%Dc>y`Z<`wQFN{dR1Z6JRnTho1s(in76Qn-t}CTJVIncY#eoFG)r84=gFg09(O5#?u z6yGP2Y28EyW4JrBmdwniJmVU?Eo*2XtLf+vgX5ASB~e^kKW6SiseW#*=?Pfv;b!c zBk+A3HQTO;NV6_)+3q{oncq!I3rc5(2ds1E=3B>A)!|A*%K-H)X(Bm0wJyB3*=D#Y zf&7fymuaWvcsZ#%=Uon~KE#KX*MyTHIdCfK!gThq8*wIs@0Gvxh4RV+DgE;(#WYYQ zEGdh5^XL}2yx2>f#gvtA11-hGGvTa?%S_qD-MzRZo=)hjg#2Ey zvefSLm@9)_{pn~~Nis!>L=H{0ip^$Wg18r$)d@7V4wYlpZ;9D&NLxl~89Kq$<{nQ5 zX41*o&oJ4HJD0O^cz%x<_lIxOay|PM zHsh*FY^V#Bo1cfX#WCI&kNb1Uee@Mq@7tnlEqi1ci^KdGzu%Wqbi*;ba`?2v#iTRZfplNl#qT|n!?=uwfjD? zy=vY|US3+hpdTkc9Vfei$sS@b-D#4+cQFIC*3@8sHcKnH_%x2fa*t+S->;LI6waE~ z>y`gF$R{_EXPdeZuc!2k*dP47=suAwMz88kD`UlBdTUu7`Pt;%ppYKNq5U zO}PJXqXT*8GG1dsDDHj!uCD{J#iVwIESaqnihkdgEhg1d(bj8SemLlGlBAe0oz`3a zHDGY~RYzK}-FZtEBhA^T&&fdTaajsA(rBonJLQDa?HjcFr1pW>fySK_3h|L1g(tyc zf6G>U$>^*}z0=9y);m01S5P$&TR`5B)agVf`R}*N`TKd*q(hvb6v4oTmnr?j4nCnV9WtXfIm=KiSE98>nDN5%@lSaRBz*3o9R|B-|ookw_Mw1!^*?4bxct82gx@`r=zLM!nmD>h)Iv_ z=5YJTOtz#fQG7`yNQ|mr!iwTyXeR!s^mE1yK@ z`BW6&cx`14%Pl;RbD~x6ffc2AfMZ!|@xe}?$D$OM(M)nO_u+dBJ8P&mrVGoC_OJxn zE_dX&;IYh-vILiFiX`SUbtihDpw)&LF*gRZ!X=ZcgLq3hT>w4AX1ydqq-dL6G%GBBRj?eVd44L)JZwf4RWV3V47 z{>Dfn1Esa2c`~VPr;|)cH1g`@+qxU=&UUl1kI$s5-}7TH zE2``^@mtX*`tF2QGMg1xlr*EmU2$#ntUzL4ZD(fjl9+p}*C}^s6yM%F+|zl}lfxeB zDcSJK2P*O!8N}YQ*ifq5BU)0)GR`*jJvkDeS+gkXf;^Poq(qUQF=Bx{Ofbii5O6!1 zd?S#otRF?bc-C}vh^{bExoTfQK8_YcmQSDzb&F-9iA*|I3=_1S*h{b1$<`HGxuD03 z7e!q<*vLrIK0;ix`##CNx4jFuoSYq!!I(!4?^9=Klf~^W*C#VEnEgH2uJ|8NobJy9W z#mc4m(lk@r(n)+nX{s*_%=h9nR>Zu? zP~5|H8V=2NyI_}7!wV1L(7s51Zi;EV#m=X)Gz()@Q;8+C{!rfhst&QrDjLVBWlOwj z{X?3`1&l!$Z~H(f`9o5S^gR-&r%1HU%&rsc^G&$$C!xjx0nFv`^Xkd9BF@H>Chq0r&Pj`S9s4)1usWGLn= zMmsTQvSQZFI0MgOU z)SCew1&WLN3tYsu6ZQmvUUPGN1HV0l))})@<{f$#26&H zW1j}LWMX==bm~F}28ZgWUzqmSQZ5yZi*Jy`U~lWZ;eA^g6JB5IV(mmhA4lgiG(rQI zv1sBUzvh{}RbiWT&h>W4rQ$Z-PtvO5u_d<=l6IqsXdnHf{+LeTLiNHH<+d7eEy-QF z4Pkm&dOhUhp3?VSk372ZJZLB)zYbTTx!Udqg~DWibAPnjsG?GtKs-dB(UHI?y@@7n zRB6bh4!4m*A{Mo#u+T|KwY>2Ar;Bkpntz4JCvJ)hJ3=-|wqy=>r95KZmc&@Zx+SYv za?R);0vF<_B`t5!bvnWRlz7kqfoguKLwv`pmaYVMExY@F*8CN5dAUuU{p1kM>_B!~ z94^J5a)(i&9tQ|b@6 zP1dMS{&@23s-Qssuhtb!U<}wRiNsi0_)RR%PKFr6%%JqghT;=BtNROPojV$s&*SEH zwsl8X6Nln5J;*IacRl3PG%%g)?;|}!exU6Wi<0Tjz>#W^4m~5 z9T{8^Mal=uDZ5-uUBP>N_INrow%%Qj#NCx6_T_kz2}Lnp=;SxaK1o6gez4X?Ikfc5 zlb8LCT-=$(w;KXsg4tcuCwzE*r4m@J7K zw9C5sg!G6~>{CjK%}eP^)*ZbV;eR?ZmD^myU4iY4(GNc#WbML$^ zkyw&RJX;EGz$xN#OtERsl)YOo8~d2$ly{3foLRM~@5#HOGvTXP&sOSCG9D1W;AmN) zD}BuRxH`nVBJFn!nx1^U*y;|RLupm@#*1p;VLd zOIp!dMo!v$vCc}RbJMF?MQPS?WtJ%^FWxTe=QiSaueZcxy5P)O;^r$-!h3pzaY@8s z1ztTnB~%P&m0I_h+}*{~v8KwlHxw&%1X?ewXj8R`t(+v`6B$^$S^EN&Ru|6BB+?q& zdJ`IGoHzM+tK=@Nw}-5mHX13n_T61`s<@5T94ema&x)pyhL%d^1!oLox`V+cH1|~O zxfPrmQcboYniE4+Q@2AWzq@pc!lPkQ)*YJ;b%!gT)d+)VdU=7MEYx4ReN zT9$_#soe1@ea54+j2WAm3oH(B0~y_57_yucX6<~4m`8Gc8XvOxw)Ojclo3PCnY`v_ z!vW!ai46nYWd+VwN$kd=-$e0cCq{ueQ=-a6G{Tv1Z#+e}SHcQ83ewwi64a|M4+1@mg3 zIEC2Hd>iNyS>702@)#RiTN~LoKqGNuS$2uxZ`Sot3q>41ve{LAS=T;MhBlD1iaH9i zi09`Wt5@LNkrlrw&dKRWOw8_&He4UhyZq_hCwlW=hJj z8>sm|gZXLb_!d&$NlTYiiGFLBc#86jXe&)sNj;H&W9L!Q zv;naccjNMmBq6|IS{=y5x?k$6XD(Spwx4nFN>zd7zc%cO63 zuGU^V37PA5^==*ecsQ-7j=3lj&%x&Llo~~5c!%TH@|6W|51$O>#061sX#pCzbTjH4 z6}lvbvMA&*@fJnD;(ZGH(9p_MJL|N2(VWwm6*tAH9FE()GoQ>7GUYY6etO~4=bwz1 z(0b0z?(0~wXo*g>#oL^@Gz-tl>(yz&Q7jd9y;%H|NubTi zID8{)uX%&4@#~~*X&vb2Rf=8WBG(tEeku&>XwZ4Ehq%kUO($RyPO5(SPTg0R58#e< z9Ahk`)a21HwY9a0TkrO>Z~>U`Ar_5FA@#5ZnoC-r$!2RqcdfRf_bt9q zwZ!3=y;qLR>*$rY7dE!0RGfSqeMPN$vA~8I&2D?F2c|MxW-3lU`Ii#GKS$YQol2DW zy|^@X){fE>%HO02Gbx8uCFH*NJ-cL*Yt$&CQ&`<883k_3Gj^utI6c?zh?bkD6iuf@ zQOWVWm8t#Pt;$-74vDG#&Haz!oz@sHGBmiyQt6vAFIJ1YCq3Op8^hyJ-oa+<-#mL1D(qPy#A>(-u0?_NGNaK;xJxCJXJ>bLH=d3C|M zv&H(8mMm#gplpur(8yfN_!^eosN&X=c(1?doRR`XvA&4LcBr@8A9-l80HHBWlfJx7 zI2;Uik&o{?Fo#e#gL|f~A-Sl=Kf4h_n#LiY-z&RH)HEp8FZ9ghwdN|cNY^(Z8y1TU zyvm5D{Do7heHl18Jj-_zW<}Xl&A(#mCdWGOZZ3!lFf+vrukM`t&V$GZ&11av9LUOe z-!ZR#btz-@427f~-zg{G3ceKzwUj=7zAca#~?9=ndtd1PVx>^Tze~6oS#z5Tx2Jt=`f{KQaqX5lS+@EujfQp8&|qt z+BCVu(Z01te3y3r!_bCvT67JuFY{C8P&PIjlu$GJqe%IQuj~YsLiHSN*M9!E$!u@V z%xJ}@61}t~wAIVDW{J-3opiA}U*e#~TFmv_%Ia2d+tp&JFF?;`^@WNrJs?gZFPR%( zOFOcS?zx#-Fg3%p?qkq1f%v`NUnEXHdJqwQskPJM?B!=}bxL18-eDYVj(FjDZGnRv z>vh84i*7|5d+3!0R1I6L>V9=&?Vgf19RVjNt>x+*R}G93Cd?jaQ+4;U8%UOP-7s&C zin8JYrPqERQ?YuN&^31>b{@8VzJ8vh&TPSA!QL%``}W2M4GuS4RbP8`%F}bnEKV_c zsX14SL|4KTf5K1SRToBY4W){QAGXWC+-}#{_EB71o7u|9W|g4TJD2Wb>JeM8Up(ZN z|D}>5R)yb>J)N5#l~vT<#tzwMQ`ncBw`TqHKD4c`d6?m5AyW2->fv>JDx22H34!W=o-$pn39}G1opCN32s@ z>V102aDPq3p=)gCfz!*^48}57hhq*gSMPBes3}vho4q8}?QucWy~|vU1a<4>eWK59 z^tcJ;?8=g{eWGrwo^X~rWOJo>Wly%DtB}g-Gn0zUm*Z}@{XOsIdeKYVu5@nF6_LsL zgE7Y&X5G)1?MJ&F7@k2m^D?99%DZ@01oH^x%trquS53prm7Y5dKij?&b-XBnIb{V+ zMk}@M^42iLM9NjDp0@+_JfFFQW$;|Wh=212nsoTSJofvVs2@+3qr-Cv(CWkA<`OQg z89kTa#XstDIBLt!)`iau#sC}@T3z^C)HiwNvsGmO**y=Pt3Us!E8wUj_Fj*1u7hw? zX!YR8s5@rqn9p84Yh=`(1ipsF;iyd$I9CQ76j^EpF z0q!>mDC!}d@uCWp3k^Y0+lu}e6?%5x>K~8Qu=B7FCiwgLqUGfj716$a!5-kLE!$l2 zp7!9ecxYd|y^o`-tfQ|l#s?puy={$xuB(rI&^|v$d90d&m%Wj)i;?Lji#3Y+;Qv27 zjst!!-&VXcczy_YTH6GlH}dN#cq5+Vx83sp-zWKria@zx+CPKOQ#8M=gfnu)Ly7)) z9ViJ6!x`!MD>tU2%(dsyRiRh^=_#5}Y*+rVSHZErAoKE1vxwj+ns9yd(g(zbmV|@n zcfOdu&}g9_h_Cjir)Wa4gF$RQb=_ZZ?D02)tP^6w=Ni={-f)JHosQZ3Joq;kJuGXgVv#mtuTheRb*yHcbQj&)2*_Znfwr9-soV^Cb|2md! zZ4jG}?X__1x^d5Yoe?||RV`zwgQcC_uC{LdJE;y}cRty5#z=D<h*5i*N3ASYl7`!tm);25q7O)Kc7XWL$Fl9k-}ZXg_W1v9+&UpH zeBOS)o%eGP-)6M!LBK68pa`%>S%s#X|MA*w74A49GC( z7?ov*ze&Mac5l3zL~!RM6r5!nf93Y~8uWWj0%h5qA6aINci4*eCHVU|f@jVJIboc% zmA7GiH~Hvo#`??a2lzU9=vm3B1X##8xI3sD`PwM?I=k*PCwN*Z8#wISs*J}wZr0to zKiJd2T5h`oeut%Vhzo9?iP{!(e?JAAO>zcm*2bQjbmh&x74-BS<=6UYt0*cdD66Te zs;MX`sVS&|W$FLh2l}7#G-D`3UxR;6Z70Z1=opouCf}st3?1<_<3F`Jf~zJ8z!@6& zD?`7xI^SzwC_}+cTKJK&{CnHb;|l|n{;3I76hVL6KV%!;aE{!jRiGz2 zBQ|yXwqMB7AM7qtke4tc1VFos;=8@)zxVzYWd#ML|L5CV ziYg1-c5N%5gB>0=+tEZ`-1ah^{96Rd?r#mwQj`yIT?uz{-ql#VCoQWK>zK@0b~Db# z=7YlHeiAS1{-+d+c=<1>?LOz8Dhq^JnN}9AOS~{Sn-u~UEO#Z+#dvRwH{&$X@$y1( zNu|X%q=q{l)V$lfH~tcZb9AP-dlUDVs{Of$0QPa}=b4f5RaDLtuQTN@Ip0)!-(+?JYPiB(bq{1v zTCSzGseSEX9r%E=Jg(%)THNLawi&a^rS0t$N_2#3uiBNTtf}Xw&NOM&Jh67gDk083 zB1)=q$6n#Y>j!gdHm3LcN^3stLhZ>B~qyONCwIUB7h z9!zRaWeN!?>~7uHvUe&pWtg_J>gixmzag%nxbk#VQCrDH8-ipT|#7w!i0gW{ho{?^0daqpbpxPaR^&#eV>BiZaU8AI|3 z>kCcP=5$`C&x`78^VwPGQ4hhOrDIX5 zm|!-$6U?8cq3y!x;hJVz0hh_MEiEe(KP6~T%Of9TOq2*>x_p&+c(iLV!~c z+XO+ncNGj}OMr9>hrq&-$$R(4Cz8h*4ZJhoDulG1i!(;9MpuIkeH3v3Q|)qb6<#gV0`&S+pMO}dCR zm>gX+Kj|BzRatQccNeuX@L*t^V%P-{@4;uccYZ1#%y7$3Ni0fhn*8CyRXL^+NwUIW zd-J_-PFhpWKa4OyXJE2!b-&tg;8)FTZHh~!hUu4_`+LEl{p?_@)rU#ndh0q)dvsi% z*Yo93Em6-oVQ=`kdscXC7Vb=UPEAfmMzxOQ=bDcAtm*60s_ZwvN}2Z2rDHIRC2@v% zCArC?pmj6FG%>xS`tY93bhSCF<~FDGrfKYIbiv(T*=Fg8N;=EM91&5u$6o)Y=DskI zT=!JxtGbSBj!Ru5tvG3k*pidInE`bx_D!d#A84XfN(g{Mu!nfhtedFiP`{-h zN>aq}v9~r+rUn36?k8*y42P9t4DGjgPpe)-haFL)M_Ki{%e>MqED|7E2zjYox=+oEXlf9*wm>f zLu+GW*1LjB8(iBR&jjo-<<>V@6GBe9tPpQq6ox$`>hh&|f!wU@YeW6y^x#v&??a<` zD}wfWUr{o6zdA{zFY~zQPXDvP8l*!-hLB_|tZeaBKSnXRIoF9lv+6m!|S~}uRmewv0Gb1fE3Y239 ztdPTYtFPj$KD?h0QgnQAy#DP;*LYs77dD3b*{&j~vtQ3T)K*{?N~@87__>p*tT1zj zV-?MXQ&LM?l4snfpDoto@!_&}$fYG!k*%h@YRT%w*_FoSUj?cPKL@=Ob{t;Sck3@9 z$`-=TfR!mJ%LW^nA9}^pHA6+#u3R)Ia7yFFHK(@6i&G!PhXi5Q&xwyT@V_)YJuu!s zwBt;HcPp4l-@Nj{%J@8+<}bq6P_4q8)VFP_FXS5p1v;{9O5!K2Ye{eSxu_Jq|NAzUcB1v6z*~bAnv2HqBnlHtFtq_my%`%*$vBPbM;; z|C>_}bF!tf`f-C#R`Uy^avp?R+#pj}ePJEf$B(LGe#ARt27SCaM4_RN}Neo)On1ZsXhdxvD;y+g4-YyOYPvPn~Q z4jWH8_#m*3JjXT9%%M?^?jW z_5RE_^;g8-)4y#<5O6#5AJX|MP%9;?KS%9FgKDOld3{U zj$^C#=HEZn7K&X#?_d}hcAM_fPQCA=u;iWe&MwY=uGe-ee_PUrTc_zt zxnf`6vo^iA&yPGnnq<)y-lh;xK52{A+eLyby0!*cX8PNO7ZgzWRl0!qR}>bR46 zfq9DflK%E>-7-08<`ccJ@Uzwankz%3)U*zKau&O?x_lBtZEL#i0|*a z=v1JGnk6K;cwl82d4+@)>dmzeS6+09-^BDQGFOFP+bK8XabCG_`}X1Ny)S!B<~l4~ z`}oNMEsH3fhrMU!f26R3D39g|^$q)$%)Zk0!s%V0v~)p54ILB~r zPLs4cvC;Kb)rROC1KulXE|$>-)i)7=v^8dr$TL#skE!)DlySr;}cXxLW8r)Wb zOJL#d5Fofi5`s&DOCY!t+zIY1Y+)bdoW1Wp`<%Pa{obp0U)8Hi)%-`Tt_3~E>>k}c zTBrXKp{|JW=Zd$iZ};1GxvZxdZPWa>A*T{*Nv0Q1!LR@yl3DHU-K?OtrQ(H*aMYEz z>_)!xF7~S8BUbp-2ML`;3R~=(k>Up(mjs+uR%Da>kQzC6@AyC2U^=QoNWZS@*t>+ea~Q^<1_pBY81Y;+z- zh_PNJ=^I_bAJ!w%4G6zU1?Su(&>ttOQB;cd-~#R?n63a(GA5rHkzAOsw8a_p*S|h> zu9b@HqIL_4XNXerW9A$}vIj@ICP)}8ob$sOFf3BOxRjrl-gq~# zF3|5cd`>kI=nBRZFwj@8HMVfM$vj=S1BZZMtR1g%?#a;Mrl!oO?G)OXqPyNFj>43$ zhrkB__3R_*j6lhTRqjZB0w=LHpMsoE^BgRA_)se0g?D~hLl)9QNK#irN$BsJ=`SN- zg1@l`dq;GED*Y@p!)&Us<+H^vtx(k9IeW1sDZMr4kVVPW2C49LmP6jPd>=?}L(0jb zcgbKW^}ewbq0}v;^vc>2>(H9#bE@|-(EAiaMQ+g{gj90=rcMgCKK;bka@_PHysgl7 zJX~btQ5ayVrrXE8C3e(f^!&bD1P8dAA2)ZFy#x8nI#%!@|@AE5B#~<81-Xov(Yq6Y6 zI~ebC-9y(7bLCf5AWw=tJYmxeeP!F*hr6d(d=$gtL6m&Ifb&CmCt|lNSJ{dX+MaHK zP2QE6VMG{nD(&-o!~2B%N>4q6&*#s~D6GgD8^lxA;?MUR@+(j?C<{wL_~)8Ke49iP zPlOVQ1x$@ZTfcnAmG5oJgDvJUpNHtH(uuM|6Ry%snkn1uQ#FcWdO2$z0n=EpHa6H; zU>frpu6?+O>+{%-?E3rO2GatZdxuQaX}HwLOYlnRY?4i~ocy8%tCYV#uxxTQX!a?RP@KWIg| z&(KdduQ0Vgcr;|a^Jb}tK16-Bs^)wW*b`i+x&!b(S+}O^psq~hmnT0fg%4FP0p9GY zl9AZ~OzHIuRWwLoUe{oERiX_+0mCc7Mc<+MA=BT~7vawTgr#NODTXlF))CJ3JSe(} zN7;EiN88S9(r-z{#Y;>8;lo#+g>ML&zMJD-X}Z0=ZyTl;lX`qyIx>lwh!<r^0o9XvJk7V$jcAO1e#0!#LeI@Tv!Kg z3A^-Y{5hzAGY3%Wp;0nDXqPqJ3ERGOI<;8s^U*%?U8QIS-rr$kfd6nc)E%YC= z+}_X3H*^+iijGY|ADrX^BlC*(f<+k=sxaC89z~FcH!_S_f*+rnTZfil9$pc>@a={T5{){*gn!s0A z4#FnbfFRP7JPxv+Hjhsw=uJ9Hsez?TTW}R} z@ixW#EAb%F4Q>g^j$H>#Fa4+wXB;G#Cb#b}h(K&&^Ul+3yqY%|U$@P%u!|5yPv|Nn zO*(r}rhJiwX5m$L=w9g*K|&Uu7lpOP2n=32l}NWbYC+3TbUha&naAtDh?gJg>h%K0 zCRR!;fOuoK4+~n{Hw@l*ZvlksM^cO1)jpEK1Zo4UX}=2(ehVQbBce|2TwfAVsp~bR3yGQRAIb(L zgU4Wup#i+8%e}&yib5BTx%jEFr|y6Hx=>#6;Y7?A$G?PE>y*l3yj@zjB)=}Na%Y1K z)zrwBsdkltfy??0hyaOt+SH23iCVam&w2SGO>H7x_t@<21MNxCqfG3*`s@I+SPs70OTj2Ce^j6CDinuTUQF&!Ie>#6O4fsvM{g`7jW_&YuAt zCV7qX*(xyYk5>OxC=X-D{Hv{_jpq-c{Br}3y9o9r>+|AH^e5rNe=Z`;QXEpGyyaDk=ObK>SBZf%Cbf!2VQ&;Qd=k;qT&Onoo;ipXJRgyxpvx zK3hiH{As@`6+1tdH8(G>0QW1tSC$-t>{O^o|0^Yk|LZF>|4?xGP2lY}6)j%=UyH^5 zTQ#(f{F(0W2kkg+4+@vEeXm3nfscbN&QbOXz~gw&UUUx+(fb`fRsYBBX>O)moI!)? z7WsDfD?ZiUXzSaLUPha>1)qO7nLPIPKaaXR^Kc7tzE`@(Xuyrl7Q==GmDAw6@y?Gt zz+9W?f);=2rJ))t-hn+TCOMS`$A-)n){zf$AMK-3)xAYDC zcDG|)uK2#I9B|Bd;-Yi__2+LX+eN`UcDn6LOAkTpFWE$!&iy2Xvb8UmE6EQlmWyGU z(u>6&c3Z=*a*nVWZtQ(E>z(So>dI4h8irTu7YqzuGLx&E)5a!=PKL!`CYt>iAwT5c zOm+lc7F7HgoGWxUcK(~9l|zAwYoop;zPGEV%V~xF%NV`E==h@|_qKsrk6YuW`_1!} z+k>Y`{6{`h|C_sWz3*zkM|#tT^Y|JB8KZX>95uHV@2ruW z#lF}5RQXhdgXi}Y5f-nVBZ@UjoG#?eun3VI#cw6##NMyLU!5yGX|6p&5>B7Yhd+VT za|9YD@Ry7S*DshH|07^MQxDJF1H$;<7>K`hIK#mFf=TD!Ve;3`@Sl?r`hq^{7$Q6W z*!4@G`V9$`{dj<5s22kIdG)@yAQeKtPRL>k`!L!{zzY0NR#{ zLxCAn zXILf62199>sp)Vu?@CE~sQ~3$9UCTaRd`K!dU(~`f1K&CBCM z4_Yh0Rb~PX)PcD`2T@S5OW?lhF0pM;EQYp(`$4)gRes{bbqYBYukj3OYvac#+WJy- zw=hexrkGkgRcb(ybnJEcI&n}b7cvwi%U#hU@{mUuUnk=Wi}S2a82zfUnw_Le$WN#6 zB6Caf^c>??4efn4JwEwvnw-an2cu|YSTJF}v@h8|3=sNByJP~GULE)ke0d?~oOa`V zyCZR;F?_hmMT7;Xjfc7xn3yt0!)C`%dw9`KS#71?OSKap zUG?h5pztlt9&F)3l|2fex>3&=`12xBiEtmpihCVNqG>6>)JAhZczGnKaN4^5Bt(F| z=aE*Ed}+>4&CbL+{)2pl;f!!HXqk^R@rN?{m)dl!2nhLFi7LkChYk-RB?Ym?9RQb8 z3WMTQcD672k?&hn+s@fj^U7_bvw)s(q5TE;ad;d@<}(kI=W)?6TM2EV2AtgGm1D!G zrC>mpCWcuKZl`B}e-uD_oS4<`i%|B`f!_-ncUgAFYpSaw;sg%{IOh6X_Vaz=$c5$s z`DCfmm4aH|C|<&KXZm>mtbi3_DD=Z-B|nDNe)v2OVxi4AXUab4>_ZM;cd^!Obqa-& zMnHVmZGOUf@F1f5RqZr%SS`E*33=Il*kTi2?kcpTjV^b{V0~#w5vEB|Wubr29%*%Q zvn2oddxC+H@E}wWj^EBgK5wR8G&8sOo!^Y}heH$1Wg4d4?pST^7Q|^wT1AD~`maG5 zF=_M){>Ax#1E@Stspve?1GUrK{SH0<>&!mmx^>y%J$s%{6?qo#G%-Tl;vdlOCBy)* za3%rpP?brAUH%03ZWJwgWnZ_eVM)C|$Fv>t;7*(bgyWo)hJhPrx;OPbFHZROtA&aU ztv}HLE&cN=m4Te1GsHxbc@*BD8;HmzY)r6ovRkG5^i|+i~#_(6KEl5}W z$ehZvky@9T=JhrByq8R#G))1(jgWw<>l*&!t?0loJE8A3`0gCOwSxf2;KOoe*3|es zs~wTGuPW;V18Znvpn{qyDJsJI;w94~cm(lIOz*D_YaVCPy74rK1>_Lu_un9@+Yqf# z-92U=ycr67sE%37@7W*zGE;V1N>!iCqx`T_;wlR*-cUBN$)sii~8Ul^q zp7Jw;4Ae>& ztd@__f$&~n0# z(U891rM}PZVjWWh({bX8rg85hz6=mq$Iigmwe4n}*OQUh2I1>q;e+q^JvVZmWk$z3Z(_*$ zG?+iL$ynTis)fI|Wy-E*h^$0R z(p_47_kRt`Jn?v#y1rbhl%X?FrG*sIR_M>-sa2YCppT&zFW*i;k3g<*OeV*^g2Im7 zda_BZEnwZ{Rv`Uqj17dV79}{9B%6e&1V3$ zA$p-cw_k8Jd`Uk)8Id;@@%qGO<~2U01p-rn;Mj-_^f_TGlb7qGl;G|p`jkSYT5fJm zi+~?^{hI!JZm!5H*(7K9zT%}9t8UgaZ591NQ7iqGVGfz zzx#1AKRcTw*{OD=NDxzdT;i6OhN>5wc?#TB7LOtr^#5UW^b1cbjZ5d1yrxWuYm);E8KA%n{MY^nt?AAJyCuPdOLcnLe}eAa&Jf z`sMcIzTJDZsN$Wi*pv5peodEjiy1)LozEi3&>FUCT*WD+jHe`9S8y;Ragv-#Xty$& zaqkGftbm3oV)YGxB86^ZLkbMl9v*0D1#nWhD{#urqqt!d4Qj$LEerH21q^oJI6>Lm za^u`ukK&vZ3t>L#YTH`3INX;dnA;gvk%5o88B5MR7!jVcH*3q?=O~+aPD4m!kKyOl zO6_BOqM{Z!-%79*qlE92{DY^ycn^L*;^lhbSW+6giAlD;IjHW}`w;~q8`mra=BiMU>K6eAD{1NKXI&Kw7RFum1 z>S!f%aiSoTmGsfTS@wIzjxMDQstl=jE(4)Fcvq^2ZIz|#1kZMH;ejd_cRy63fUhLj zH#wVRzq({&AzxB?8gH^ZOULOPGTm{80t>vqR*0%kBE|bSAKb`g28uk4f%T)nbmND9fcjMv(^*7E=TJ47KrG7z^kT z7H|U0dhW*cm7Vdkxi{)Tu?+9+;OvdFjzsQ2lZZG%qp79!lGbNnY-4ZN${m)EEQt1v zTp6_$QFS5~z0OC&F&a;3N+0(A^P3|7d4sV@?`)Q{L{=wv(H=P_i;}^F9Ye{{ zo;?Nl@13yQix+Nlk&^worCyyyZ3g;)5K(yrS&2Gc3e#Nde4sSE2!9ccJ+-`_Cdbe2 zn3QLo^ZD#lt z|72l^mwXsD<-9!f=@SllQ(RNkf(MDZ8g zj4(KpX~@9EQ7|Vl=r;z5S@XHJGM7xpK%HCY3J>5XFP^85753z~O(q#j%1y`KjT9!N zvF(Bx{Yqbb*;ngOzFk$Vul~HV4E7K zvkH*!Y-KxBBq?pw?sOuH&OcLWvhnrIt$`b`6VsbL-w%11IU?_l_o&n?Mo7vi9`#{> zBxj0ROuB%3*vsFsy>{(qAs1aXd(B;8lve|+wJMp;i+RP>qcx^Z`#G262%IR9CWZ~r zsn$VaY#1xVS&#yK=}7T{c<92V-xkMyf-zn zP{2DX;G3QJ7Ax1gF4!y;aZTB2Z%*(fZ3^{Dh99Fd$tHdH1^ zDJB;L+c-s1I^5xbY56_;6%^a1rpkFe2OqH@Jw{Jq1pd zE^7qY6sh>#`?~V5oLq&FnwT^2l%|9mg9@RXe^fEfpcW_C7>ESJajsx1lfu}3ql@ni z%q50YbA}K;g+O-y#>7e9FRU>olWWHY8M%9C^m?5FJ_%eBZU%s%B6=$}^pbHD3o-^O z_ds~@5ho)eY(O!x`bXl9>7@G-MxTyM^n$kv`8T+C=2&S(6l~|2TB?txgywR*w)!HL zPkFj#K{cKBPAjS(L!Xtu%qfcmk^T`LLYFSp9(bL~v_b$weOuYKTRv-T1Hs8djELp8 zbWc|H3&D#y4U~{g>)8~`5pRkuaBCH+Sy%>%L#2{ zw^p5>8-vjYqseq+DpdART0d!jcva{XB}sMsUeu+IqLJ*I`rCb8z^9K{mOR(*2xrg& z;V{IzY=eteV!N@6ClDvy)OjVfm>ts+uuHNOOR%m!rq{a?Ab^df!xHn+Es?IHV`mq| z9pzreuSdNcLLT^0RNzp6qTp+!XVona_|`EN%+U{DOKBD-MP7nbWD0vQ)ILrk^c&FO8{Y>-%Z38i$xd{}8+A3gWj2!Hr2h>VnUPxD9~7qR6Hzn149VWo5;0^Llk%>cY5Aw-@M~ko~_1I_7YAQ zT!N1Z+~Ijet}qfC?gfT<#B`kess_K8TdKVMu6Lytp{8XB8p--pRvS=N&EXc|3J6TB znh(DmJxS5=?T>``P?<@~;e*oWCeXuL`P~=CBnG79Gs7AII3USJi>$fy7O?4jqLqO) zN)6d;x`*}tU2TmIakh9&`rz%>6SZ@e?i11E>lweM8m`6S``)#xFFiJHHQ|p45R)%f zH6Fed=8O;}{?IEaQs0qM!s&gNa8S4RaS>U8_oc0{p9EzbWv^xPaEzMBoC%-zaC_xu zEbiw{LNNh^j2k?ES|d+_*qMA9Z>jNsgOvl z$R?T!Nc!De)3nhdq4?ReMk_J3cj7q>I_Sr7or;T+I%8^4NJM@@Y;25H0>iSXustvh ztiq5-8YuFR8u#b>XwcUt!~NpU$!r|Mk)f4)%&U6Na)5ocD^@?ezzDa5bm243>);z+ zlBRcW2ah4R?$2dg^nyA*rY9wRI=42)YDDysT>2V~X}Z|BV_DszHWiaNs7RiX2#%=D zXa9UEYK1MCX0%cu{Y^WJux*6=BFQ#DGMg%q4Eh=QmGu6yQo;L6<8k&kkFrB3Q|dc=p+@KK&2rlQ{aOZ?OS;Jp6(&0XW!SAKWs zA(r&uo#hypF;$X&MIBNMvIKt|l%zf-a&G{#vw2wmCH>;iVx{^jWig2wC&fZig#WG~ zp$USaz6tFY#knJ!oD__zfE`K_@DI11Zg9#%dOVH5i*q|sEfYG>ZZ}3cg9a2MDc1Il ziuR|CG`TbxDZviKwPAZQN3#}fVoAh);9aM{LtzEnL1B0xKUIa%O{U;+nG(|Goj!8lFbRpL4fOt~}y}h#*w?%w-xy3>bHaeDq) zUZt_@6nQCJ4)NMY{30lesp38MpK_YqbP4pkj%uR|a$v z@Ij$&mntcRZX|NGry)~2h761?dj>HZuMYTc6wO_WQu`nu#ZTy+>du6C$pd}b8n%P4 z?yYpAiN`nA7(JpUN^8|d$;BlS-vv}U7SL0%`q^qwNkN5n8)I3o<;LXsyI~`(w3Sp5 zqDpal{Ehb~Gx+Ia{qfaW0D=+sAyN7@kXZYgtE(6}jxM>7M+#Mp_>WSl+qN85QRxI2_QG`R5jtszl$G^1s;Vf6FhO zy-T33#E7aVlEl$myD)%>39CBwB!`;dG8n?kcqO2HPS2O+EET0LoL(zsfHRUhS~jZd%0NYqqa1DkZ}{U)F16J7 zZ9pbw6Cai>TLv^Zg}f`2-powWdBlC*e8&yhe_7mX0`RSRJA^3}Ug(-_XW(^mB|#+r zozZ49t0-}X1xojd2jr568S#=I5gv4IkyR&J!%f~orrb;Awg)?`U~uV8>I#Kf*hM
36Y4<(4NQS6da!ljGp*yBDp z9u&4clLw(MW}MeF&A0KsC%)}(mUA`C8b|}Ze{cBSnJ;$&6{vV0!FRbE_xAG=0>E}b z;RlXZi6}DkaMdZpt~(!IcC85(-$t4>R|cW|C{an~*Hv_#!!hwZkD<~Wmw94Aa?cBm%`J8mGCVG2$HW%maUO?mh>De(AM3l-{7kwwS7c)``jHRE zbEx3zGS&3dC9rVg!(m_zTYk*)jQr+L$p04_kG#J$9yxwP{-z`5{OEE~O+t|`d~^M! zA9gr`*ajkf7^5S{_uSok26#cRKKnA9a%Uf95>0Vvymzut(Gn~r_#D?PH^!S-8%3Ym z6}6Z(KQC;tR;F@$B9`{|c-6OD@2J}U=+dl`P;^!HlGlR1(X|H%kG@O51{Nplm`a7-A-bLqC6`Skh;MGW= zHN*%5B~S2-t8YN|xP?6mH%e-_&^Klp_pUdOZ0m%H`AcY%i^SGM_F`)k@(iziOU857 z-LzNHJxgm{X%JSRH9e#3#^4q~lXnkaGc*kmP`Hsl_hMb|%k?BpSACq2Yu-#MEqA$9 zfaHk5ip7$yu^Z%ox-$6Db(^_)eo&L=&!Hk#VZZr(e3g;si>s}V8(r@yf?Y3uS zVaYcSt=kGe51lxd^WZun@>Sm5uJ0YjzEtj4xD~(Mu?;$Vx^jtibRp|Q6&k}S1uMo_ zYi1e&b5ZJ%-M3VGlBHR`xQ?E)`e8eodolb9oZ&~*!zHKs=~X${7)d>?-OI8d)C|)V zr-YfDgqh*bq(M0xdYqWjbXvOj1_BxAvaiuB2Wl4}nfFu8g$Vih7W=*if9-h$O@%x07U>>V2DVBK!j2Aa?}rxY$8K)|*7#|kJc2())hY2kU~#I2~#1}|{DYfs$G zJQgf7Kfc5CtZS?dj&a!TY0WfUY$f+SU1l*^jBfn`jK(i4TW-JU3C>;-Ic&Y!9X|H+ zX`du7k5+8FqkQ!L$}DroTT?h&?rVNmiKk?6X3l$`!qebizL)AA?>|*HW5wFW;#c;i zb!hLBr&vb8JdqQ|D8gtjtY+|zCXvM9t8paJEkv8~bPxJYDg=s?KI11}=IAN3YHABC3HHqJS1|O|-w~6j zt<9snjcmO5G_%*Vm)k&_U-yPH7?M8kDcz;$ZpN*YyUHJKbCVbd_M4|5 z^XulsBZYsa3009Vfnx^IojqL46WfQB^@Z)SS(v2m0~Rh2r4jYC7593Cse7pkscnfs zMue4!X4N@o;F_qTRqa@0N$#!*GXMcp3jQcx!`Ah*R>Sis5Z)R3r**222l!x>kvphq zQ?*UTuv#73uqUF=6hp#CURHr2xiERXgV0QvdYReTS-z=gSdWVVIK|t-wg>ky_kwVP&(Suj~E0ix}n|A70 z!O%ir>GKueSBR1+l=7yPWQl?3qFRGBT+7?>^(**<#WIz=7p#N6CDadv@!=k42;Rn_ zi@}Vnb&y4~7ZM7UzRiNxp?73b7KPU|0NB7VU);Qu@2`h5E`nk_CNWs3;y6V}aMJc1zQQMUpZ@yc! zhxsheCdcIh9VZg?F}WNpvi%udipR8*ue*_$ z>pxU50`$K9R>45ifq-ZqG4z08PUdu+-Zj_wocUJQI5dl?ZluKN&3kxL27%iZY0-JQ zV7yy5woArjbW%F4gBz5EzNFcPvr92Yq!PWsFzVxj~V zxp_;7i@Ix%Pn?Ei+F0XC z(Ha?8<^bMEZtcHE{81_RMamku@eNwM4b4{@1hhXy^-G(=^pl*ub}I(#bo&G6ZY+U8 zU-c^OO&P*F7hfc4=D*Z|CE*5B1bHetvi14eF8lV8h7Na&%N)S9@{V0iXF0NZ+sxqz zlzbBG#=xbV#sURidcQ)j@o}DSLeTF%3w(<$r(y2G#t8|I1W}P|ustk57f!#Q#m!w9 z;#>1>hNzJXP_3+>hGmgQc05ls^UD=0yh3cMCxGcHMdRM+t;|QkW$p`*Sbc=K4hu{- z;CtFEmR=tpz zx^rr_%y{X(17=vSs06rGB+1E)q+w2*ZmV04u&=j_ghy(K^rUehHh%Xor{NQb#uX^z zn}|bE_qjl|6dDHT4phIgM9uJL;OO}4D=hfy3J?78GW{pO@v9uTZ~srg5n!0FjzL}g zk5?G&Q@|cwgXY%Z7m#>GXDCPk0#7}4pB3fYWvY0B5OzU$ zzTR+w0`4^_m0QA(qjK_4H9>$|e;C~z*4mC|rOB%ZYn63X@-}?c)P&>kcYd)af~9s# zZCJ(J9~2Qz(Q#pK=ZlOdwg)dRnE@r61?zrYYK6`ByZ63V)Qo&BZvX(pEyC-XL4-R2 z)KA%ynlOy@5fmT#^w;l?LO2(@^Af%FJG80S!7W z>24?jGuxzmjD?exn4O&Z@QzS{+s3CrfW&JYA&n2Z*UkavZB!WRwJ;4LXF)5wDo(?C zQz>N#%aq)Hkyy+Z$(8Y5dZVaXQ!TU*wcx1PG!qKl-Ap@~eOYO#bkU?b>v)`ZSeIKK zl7&XxmgK=FWCUfep^BvLL&--y&z4@kzqLMzVGA@JGt-$kiXQKv55)b7D@>?|@LFvr zTn%Qm^sMtUM8@gHA*B~M5FWr=Ta>N3<8)pUV;PW|-w;no>u)56`6D4dD5tS{Z{NM$ zm|1WC2W2(Wks@%*`pPn8%U!leH78(pAKT)fY4j}lQIOa@ArvM9mV( zLeyJHOO8;IQ<43x<4G3i9{n(5;m{qV`1_?@12Bsg=_>N!6-H(Z7_b!HlIm5UO!Ov3 zb5VEr}7$* zBRx3qk{GG*oZU?ilZSwVgN~c_&`L5evBWScHVKZ?eLNepm7qHR9HXy~LtqqKkIq|M znO-a!gN$1Ifld9r=&nL6Qtia?4;&|Wns;yvQk<(+{P|O`@_D$@X`<+>$=?-*+RCg| zYhRH}DO0E^5+U7BLvQVBf#-t-vRi7YRLj8F&XdvR=P7UUwxH%X@@C2ns@IP#^4)0n zzIn+<`Z~C1(Jve}dz_&eBeImmniE!Yfx_Mvi-+jLK~C0Q!|kL$sGCfsq_Cetp9-Sx zV_p~2`EN=$n zYcy_;d_#g7xi~W|{^HVF)1WH$UPo_8OxQJ(4mVhH8A)K#%tC$4d@yT|+vQS=J3wwB z4y+lB3C00QI1=Dlxj&7WUYMfDA{RNI<}jq1VId@i2g%iAJTWH5cV4`i2MKz1{yr)q z7AqzDW*E=!jqJZe{^ug(?+rAK2QLMyvKMmC1bEPe@Jv#UpyLupdp0iG6G|XU7N^$j zFucFqo;*mUr>TYy&0sQcFQZL5+X_e%k~+8R`Pj5#=}VA<1kC#RG$M|%6~^?c{Ts(+ z%8eeV=J(-yaQxNk?s$y5FbH=K_b@+Ee((fm_N^{3C6R!~g1sgB<6GM30;0HsoT?e` zKJ7t1v_8&zMAH^8@Rfp)zs4M1I!KPOu18|cVbc~U%0G57Cs~7%p!gtK8~MJrh0|I? zel+la{RnL38@mtgzjz3Q^)W@shMI0)Cf+H%g&c$DG$uy?L83n97w$q6RzWQ--DF7n z$#Y$FU`}^vRL%F#1nsTO2iiZp1ynWravOo-q2H=S*g@>)9;08cp`HGS3%*rfBntIa zdjR{GUBP!A4Vs#wAKXh+UHz=Aguk4WsLCBMZG>D<@ayPTw<65wh7_R}loQe2FO#{Q z9Vx?y?ro_=IR4cor#IA?&vBhG=>v{p>vzC0Erf(E6{Y3%R-l~EYqUjlVC{w@NQ--A z+R{MgES8h4c1cg@$1|n!UE5I0Eyo632#(zg;HyfCZMBu68s8$4>F=}97|u=s z>Sb4(m6g!kRfJHofzN*mcv~|Lm>8&5HlQDAUSKN*I}%9i#(_)SB~cHW2*X(ajZU&S zYsDM#73e7WGWR`zy>s#CzP4lT3_Vkg4u>Cdaq2l$VKv&fg1#7a-{NSBa?9~{-T;fG z6@!=aV{dg|YWf~Vl|$E~HET{UJP{HP5h~%g>L$>=XC?kae!}3>$=1pH$&m~+;7@nc zjw04t2-H&|T;v-m2;Uz}b>+l@5q=}Ow7Gr?kMohB_V2zy2_Pm@QShnF(`MphKO#8u zc}aHqyB+Etk|~sh2j)D&3AMyE*^r}JElDqoP^jv4y4*sF@8Pvj^izpHf#5p*rcuPO zIOFsmC?*d?L9zhE3X1otjB5+kyCB8VPY+71JZ3)qt!K2Kd7eraz+;0=k@nh7K6ru3 z{@uy)&wDHU`By$6JRz9PTT0D0z_gN8VzP(7WC zR;{hYX0>dP5l<3baYDBR4wE<#ExA{9J_m`ge@vw9MK(AxR823Au*EcL?a<=w;Hk$@dE3 zM3gdvrTa~b;GLsmH4c~$OIyy>eXM6&&aGd{YUhqhH>S_l3x({mE6>W8+Ef$WRQeef zXSJ3%zqjkzfK(gB;)0#WDP5IH8;MQxAC_-FA6gsg(Xs@y1C$4a3*V)E%${^m_o}*F zn6bX^^_Se07=@l?|7vG|;xBjq4wiO(F5RhdhRK1l@Qwm#JiKc>P-Uf6*Y=UCcr&bA zG?8{GV7&wuvc=vXa6+fR&%&^LiQAIzw{(fiY_iTnHG=*^z7S>ft%{vYlDP4Vo36On zQb~Wm;SVoKNfT}M+EQ{3UF@C+oT4YJ3l93cq!2(tC~&Q$--^YD6W0T691o zfm47~tF#$1jQ@fqvYLPe|=Ho?~?l!i!SYy>Ba`pkjj+31!0^dFQl-S4d^enK`izpZ?BiWyY9sX&4{W$WfYtI-fhX;%AOi_iH`2{S)$UJf-c= z=bzH{={2F})=B^0MbbTF$cYT*mge>&3aC`CN4(}bGGMW&j;PynSH!+6E$caUlJyK{ zK;30I8c95)rZ=3pGYwm;T@&BPGE;mYyqksFQdDKYiL}IMC=&B$?*Sh925kcG*}nsi z9I~JER$`+bTv?=7yiv&(zXPYt5*ma==%%Xyrs}R#*0#xEYkgOK{JU?{@**Uy<&6$>huWn zk9W`yHA0kol?X{`?5LMKAC^TcU%c6&rpD=*a=VZ(DngKbytBWDfgnG`0)B~yda+}} z3FCbZr`#~tT_}1(pO_^gk^>umOm!@gk~=*IWwP$Afn`Phd2g>EUBn0Mn=2vKB0=Nv zGzxTz5BoJm#eF%>bd<}`ZVBnyd8!WQvoS{VBKdHXVGDIl{M9juvsNzBZ6Sc@T8^{4 zdF5#=)5UN|^fn@>&X>HnT`baB%4z5L{&eKJb7Z8H{AnlI@ncH?Y$$z^fkNLTU

B zkDi(>2{ruO(7*$x#!dna-JcQJ`32Xv!E#-jvEv56Ua?tBD^=1$%!HB)l!TX{k6i~m z4M68^sSPxq31gkC=#%Dk;Ma??M-9QT)6YgeEF_%0BFJ}~+|(b>Gf)#1dbdOq#UO2@ zRc{Y`6t>*%*zv%cMhsYH5baPo@#?8zxD?=D9V_wKS* zs!FELhq9}$-bZL^xt~H~tw9*fT&efbIDHsB;&0XKr*hngl}i>JU3T68_z*@U6`Z2v zz;3TePT3hs`VHivutj_lJweitFsZIR@O$rc9Vgp3Rr!^#tD+FD8~;n9#0MFW(xFfC zW~+GXzP1vKoV~1IEax~y)G=hRhIVoO3zN^m4jVTPfh2Ymj-c{E!_Zz&c=`W8)Ga0+3YKy9=sejPXQN3(iHapl~ zycD5ee;^lLx+@?}xhfeto5=dD7BxfGq7o!gJoB+(o+U=!ounrZVkHj;aY zy&CAGd7w&y?k$J3hWVZufzD5d(MojS7)YbB4eJgF!9#qc+B|2FEBVw& z{lrT4{V~n|PsjztU;N;ol=`1KoCECY)G^3c|B+mfGyO}eBEPJD|1VfY`eoJjcS_?Q zra}L_jb+8`FRhCHvfBG!u!{W4s?G0Kf9FD*n0Czh*8(B?9TX|ha6{Y`?|F`=;D|!951v5J-s1R#U zq}=oQvkO2?u1P$*K%o2|9q(T;cu*f$=$>7meelTzep~YLBvMT$0Y5KMtWE&&hcEcgO^Z!c{RMLy!l%>Qe3NaW@#m->4+`0$ z?2LJ)y))Z#Y}_AeUZgsK%bzry2_gJw4s&s>SP$u~8r}*$>~0ly3j$^?I6tES`vF;Z zVmZQ&k6usy{Y+dypQA$DJYnAR`Ln}A?yt%I!aSxwI{ee`{ZoYvvJ(dF7v?=X{2z9F z{as_=8S^mzjCsGdZP_{7x&4NFjxu(<9Ja1fUaur2tUatXR1GC)Ib~h{XSLRU3-Xmd zIYQ_Ym_46AI|7vFn%pns%lUVX0Hp$h{>u?We|Lmm3vn)4@#Kga)Ct50P_zH;2wK0i z_5ZZ3#FdZ7T;q+4mMpK7rZT&`xv8ZJubVZOqq~bUhl7%&HNe3@$3tC4+EGB?+@4oJ z%f*)4l-<(C!9$(b$;w^>ApSPV@|Mnwb$=eO;u$K zl})u|C7pCR^>oaif;AsbTTX5+HF+I3MNd^uA0=HoA5#e)JqvjUOGg7A4{lR^DOG(> z13pg~XPMVB8m7tsK3)wz?$;6qucb5$wb)f`T`l#bw4}M%Rcy5NOl`TP6}b5U){;J6 zT0Abcii%3g>T2%NZ#?)U6m=ENr9EVoWF=T^0WPvirrZ|N{OteZsqCy=?0lR8LKG@i zmj5mAiA3`MvG<-qQEuDXC@2C-5JfUbQa}ZooP$V~C@2zyme}N+LxUiol7k?z6%-^# z0Z9!aISZ1ZNs^(-O-F9Sxog#4d++03KkoT%eO0I6eW{}9`BXFJe8wDejQ1Iozl#ag z&t_^^!+)Bocy;1yXESxv{Lh(s9-XZ^zA`L+qf5mr{MR^1oaMKu56@BS{|4&ybJXYm ziaH^wOU17GS5zt1-=b=qqkjDxsMP1Ez<-Z=tLU$&Ik$d`s(FrD_cu^)oTHlkd(?l9 z37v|5i>h^wTKhLpY0gni|3p1!pn&c2keCTwD*4jCepbdWl)qD*)@H-cCNrUbL_H(O z|I&Q=uj;2WF(m;V&loDuC5Od=NF~8@_%tt93gQL5yAiC!3VAr ziePOF@IgDsL*3jF&i;BOrJH!+p*$0ApCA8ktf2uJFDe|E$}x@|S*q0h`Y374FKIj# z=@?z>vSqQm(Cp;WDWBEEbn1D)#639Hd&dWfmv-Jhx_hROHYg{=3iezJlI5$)Ll&2e ze?@y5uNq}Q@ZDAL&3ELb#|LYKmr3c=o0DbgA7BDdFryb7709Z_itaR$IZf>+) zjci96fU7xygL3FO#MQwff3jdr`Dw{axq++skU)3Panm|tw&<{PVJko~$o=!IX2+!c z6EnQRT@FM44(2*~FS$HPr%D>Soa*TooSurjg!QZg<*Jh-w8ba87O&s$rz<+1!Wvp!)*Ny<7am;AfGEKPB*Eisat}=Aoo&3o z^7ksBj6zR5`>b3?28G(4L~{2cs|A39d?94)wB(7zlGv?wf5Gm}JvzKi;ipNRgHS2i zzFsb!0wla=yNJfWuSdE{N6vi5;C&njuYbOR;LQ4YFsO}hRb$F36z4-Z7^&t8cDPd4 zs-rq-%g>^%LZ?JPivEn*^1+%`xm7qGL^a;Tw|=+zxmexTI+1%RxV)>LoFx}J97@&o zbanmE2fI}jH`Z$eHsd{*RE6%+EncMhMTh%Vf&qb7d}N`VoH#qym9*HJUHL$J5~oSR zV!;5%x)WC$B}?@jK{Srfwu1RrF61Un?!hpIy6Zc+g)3R%Om^#VOj&JS?(Ii7K0Em| z+rv*Ed*sN}E)9SKIyWO3PUv)!>0<2BJ&om}4IXub)?MA82Pl&V9Ute&Js;{nOyLHW z()oZZ#OeFciORdV(y~LEn91`-^CRAY3B4qfEIb`d9lH(iA3UQ}zaUzjMfLXgJg+>& zmEQl=*vFp^L8fU=F__)?VUe~%?~iL*L?4>2=+CDLTpB99t3>W z4yGpOO$$H4ykDa8;G=-l-bh`1Q z`wi{x2Bs_n@@PAIG+FQhy#8o}whMp>r<}*%c0Bqbu}hSLDpIGKg3a_gg_B-9EP1b) zD1w5ok`AD^R1QTCMOY=BDidDzEPQ{e>`~)5@0a47WY-kc%Fw#gv^&@ADD z%{dvh>dGt%${Qu%V`8TH-6N8%6G_kT=x}n99plJ02=->x+^(q!*SEtlB`U;BtyMEg z*wu+>XW~??X)lAqAGC!lweRh%LgbuY3sLgxOR?s7&VBM+i|Xs5ON$<@w`PAk{39PA z-Q`oMBiCC(r)BIGszXc+Cqy|95A0R#@r~Oq8VM3!d7dynj3AetwcoILUwts~_J>jQ zk5;xI#=+zc+xtX=uoAV5RbiaRzJ{1TmgSAf>Xyyx8Z8%Ehv`F*P7QjZ5gI~vbFNFv zwo_Ji$)&B;2C8a9a?gbt@^V5u$WdBA4t1NUBs=HHEAgXWcT<%Hs6scqCcWD}d$T*M z_*3m{4*?CfCoOK5YP38h+y{gjw0({o662I3IPkWO{BS@uWp4JIew)hp>NdeP;k#O; zX(c*y4SD%x-b>dFmxyB?0FOXmt`p*#FuDCXNx(z5CW|sZ;4zH1;8R`9uuoXoq)j)0 z(N!ymWOYY>A@3C5=WFf;^1aQq2iQkAqoGr7R$0_q66I)Hkz|lV2b6t``!r217;(Fg z^uq)7yAN4K4;Gn?Zmh#oUpe z+&|5B^ z%WPo63~Sm;BuO>}&Mud{K%UgRsDOo{3#@8cXBw|Avsf$`wvq(-aC++O15jZNTK;@J zRMM1KeU;}HaV24g1NpWJPYd_UAEKkj%EIbSw^LF^n**!8vJ*O2^2aHPD|4QKaa&mS z(2EuXXf2ir_rsB~z(6I`M!tH?#Ilx3w}Q>R3}}VaS}qWCO;R!0=omjYPDrnN;e1!| z1U_l`rZImR9-C45F0||_x7BqR$72Y~qp*_6r2`0(!9IZ7Q9S*TP}cSJDxG6Wtv73_ zL=*#iM@a65E&aIsgJL=7T8SVfTR{Po-@8W!Q_XSO1>7AWG;_?m?=%#ozCTPB$Zlwr z;o!rK6%<8vN<%v_!!rTaAWt_?b%V!hlIg?B#mzXmE6vdNkK%=QM_>V)_m<3A9uDx5 zTuyRxsoxoT#lh-AvvJI6qEeyMBDo)X`WhB!k*VnXX{Qu<6Y|Jq>a}KjX}7OtaQ8w| z;oSq?XBs1ea{JAPqlw7)Zib)TRLv#QqnigCZ!potFYXbJGap(!s<2Nvt%MOaW3L2b z65H~ZeJ*t^gvIrB-Zb97T;iFK5@@sv90L?ZRPI?_I%EFtc;^3&29x%=29x_A%#S^~ z(Vi&ui*r$GXU60!XK4kQ#z-gKSrBkGRzH5M-()Ct&ZCwue~k6tWwP+mDD8RF^6by3 z<@_-3M4wib>*l{cH^E%<+o(nNJZcg6N7R28wcs_Fw9inB9{)9J;kx;cQA^`1&?jZ1 zq|k+x!VouE?wyYnpIC!1!Aml;v$f*DV2fSh1kG6-a8j>`NQXi6EyqOY*=N5Xk9S=W(|LvxI^s-TZh?a@4>~>?RNcT8}=r0`#*T<-B4i^az0@mdK z-?_@p2I=%^NMKF46~~-8gb^3 zfma4KS}_z{X{|5cH^0<`_5ieDB{JPA1~0$bV$fyJ!lV}=0e560__^5bnvznP4i2<*8 zCnu*BC_+U!9TK6v`M0n>n)OlnpKcMgCuYUjSh(`AKPXWb9PS%|M7DEZk;}{IvWZIL z10!Tp)ZSctJOi?7f=lG)=k!1r?LKwx79uw34t=4)hh3o<+f4*E2m*Fr<@_?IVrDW@ zzg>ehsNEKo%~GiXHlAwK_YVvX29)e58y_)lA2E4NdouZoxaQVCjf|R)KN^FP$FW#}@k;`K>CC&OPu_+?m@UK@VrY$nUYF(6L|`@qDF7~%a>2yzkB5+omXitP); z3FFD}xHfoYTE5B<)3*ppUjd~f6B5<*7J0*zusl7+X~Ve zlf|UN74WPjSS-5_6OdLsJ%?=nTBmIRY&6q`J?cpHmlz*C{l4L1Mu;&L)sW--70DoK z^H{`3k*k|biZsdSMv`ru@B{uI1vsvIp0nf3TIs{058kg-sRZfXoLUq%Hl)yHHkFEj zr!|(eub~FkvJ8!}Ywo;#;MG|AkO;Q`IxY=*!JW;Gs@{rML`HOh4<|Wsf~l-@`xkMm zi8$c!sR!!R1X;JEx%{RX)e3qV5m?kIFY%0F-x|_{p4*^Sr?l=!Xh6;NR8gu#4goyq zuvVm=yJMKWok2_=W^K+{;0lnU;5Iwzh29pfTxk8DQRbAQ-JjSfeS+}t1kvyvqvp%e8cxzY5$^nb)A7YkdF#|tGR!AV0p-;ij?Z( zi8o@0YH$}wAUQ3f4H|2fCD6UUHOoY_;CK^T6CGlB;rsp?Znr!$<|C|-^wkx%LM^rn zokYS=8?qysNj~Z)V~~>9Qc-)ofb115w~9WVs}pt?!k?Ue1J>b8hj)C-XW3|%LzY<% zp`V()W7(HgGi(qtI8+HNwh`Rx(=Oe3vX$SNlUo*4(a?gXQ-wJDPdAZw2LTDTj-LMj zU(-teI0BbTym1K73s(`Y93Ocf&a@49Fl9>eOlEFw7M%vU6YH&5O2du!mE+BN7uqX( zpS#H4Yd%`1EP?nI43@;z$k!hPIHtz+#4_1539v*(W@f!%@B5ew{N{)0266dXmOL-+ zJo7hV|B3m}q86V&m>&sh+}dn+*R@)iE(q+stKXcSQMR&AL*Q&ao3|H|S!LNmJNkuP zZ}8%lK)AQ$112+%hA8I-Mx;E?dmS|jbr7s{%u7*YrT0;|Kn!CO#kU-TNBLc!`n%aD z=KRr@gD)^)!tB$6{lMDK%g44`muUAlvvhbrOgBJwLdJ5BeNH{|>Es)dU95thOuK&* zPqb{Bq^R1-+Pk=eLIDYo*OGm$C*}e7yAR0f`i$Up2lSb3O%lLbhtji?IvK zWyvtUn5Z^r&MPL`H5@SU4a~hW*SMt0vQp6%M4U1~^&*Zd(uQr_v)5XR+?#bf@KD|6 zshJEf_;t`W2Z|Az51G5bsEhXzx=Rc44d&p1Moh7*n=H~NyzZrBVlUSR)7XLFI1hCq z86jbh)!lsY6@oc?%6T8z@k}u+Zlo!&#ZQFQb*`7Bj_BJvB}Vm;l>nJ6l@2H@2GW-L ze(Rt&bSP_fKL~!bp5kz&$s>Pc%wfuo-c3gKqv7RLiL{j5GH;A~}9tO+0Axlo`dF4~=I^b%I zdVVK@NZ>Lo0^e^n_uIPXuiEVza+V3@z$-Bd8)9)*HhVX%!qCXEfg=mwrjxg(R6|9jlP`DVE;>Sx`q7r)_N{;;j}2fbDE|@QT5Y=Abko z*%wz0t2P7TfeUr+4*Ms<#>eQFV^_NAFfVT$1O}QJSP`C#JN^iPqmAmzNWk@?qYAgY zPFhVp>rbr2h)c^n+$#iN#7u$mBJ_1;K06ain$K0Q;t!OP8YvCdmviH0p3XhY0(&dU z4K(^SL}#`wu4v9^#dB&u-+coW(wjxLQ#UN$kwb(!p=M!m9$(rM$0DMRQ9cbO6QoHm zWbWPLb@!Z`^g}c`q60zb1%&*16Cu7QE_0E6qgAp9#B0wetKkn=g5Ia@+O!UadYywH0b)2ks%%xpkza>Y^Go=-CuO zkS-|KpWn`Luf)m~Kz1mEb@b*@ms$_Uc{lOy4EY?x+qo6zqoq$Y%8PHaSJ-6Kk2 zdpb|s-8VV4`T+7#;s<(%n^{>)ELQ9K>{`2_L4<-+EaS+^5gp_tCdrPf?=1x16!j!m z=Q}3_N8_TH@ac%q0coP$hIKtsyiel!Dr-yAYy;dkh8 zZ*ea58($+Au^a)z3DZ2WI19-ObXr=29eJ}3m2WsT#gUug$a&o+_%l;@klqg^lnz(5 z#cPQEFbv@v6Rb&m{|7mB6cW)z9xq@_+mkF_)4z|&f=~Z^e6?lt;;uS#%P8S4Z}(ho zH+RdHYoYw^Lh1X}UkVXa(H6g uyTPRlZbvN{EMk`#7O9&#GbzR9iJjHvfnMR%|T z!8z^sgFr;!nyL#;U@+~$g{EdPYhoKi0tH^l+#3K=ui=5)!XYA+HpE~QKD>e8xP&kM z1i{d@X}BHM7&+rb2rLLWjIi?yThWr6S<$IQF3|*OzKN7?m%oEEbzXvaW;6qb5KyMz ztgQfh4qG^6FaNv{(Q;WNFWqlc+*VqZ{1DS{m} z;4@ZHa+jj{>^)a=;SJ1}xa_3T@e|d?$YwvyytS=+X?@{kidE&H4U`1Lc+(m(q?6&| zdM7Hh+FbDN9qXFww}nrOU$zHnM0x!LZH1H+7L}OxsLrt8-6i?B-R*-}cX{HoW01+l zlMZs_-Y;p-lCCaR?r{20?-Bbe~vn-1dR5%;9jrNMVwpqKP2a<*YyyOv+pdy`0U=D1})drGQTI17A_d%y@MLEr-KUOY@U!-45 zK3ySxAmGBXYequtUiW^I$AigKi1tNoL%-((+iNz{9vl%bI0P(UHwS9uGpc@qpD_wy zEd<7=;jGQr}XyKu}6XEoTKL#&Pw~9Mb4=ly=Kc z4}=-o+0SPN9(IXlTxS>hSunC0yZ6*V4C}b?MbLY$=FY9SiWr4@n~fP+KK?f~>;-qe zv29R(*kX)=8DQ94{8<@cedru`1ZwG7x?3}8=U3ERNRhLuo$V$u^+`cSlbkA)h_wJq%Y4ETuE}&18)u~C4cI_)y#uK4cGmbRF==(1h zj~ezsvFbn|fa^)!a&3uL;JBpiZiBfr}Kcb)hD%S|F?Vqf2YnOFJaY){Kgd>O|+f* z*Rht%BKPH|-JEzDu2=7E(SdL=pp4<~JO`VqZ)gxvucA|~@*4I?gW4l`D;WmpPayGr9h%z+UP}V-QfB_42}v>j1D{{EZ+XgC7+Y zPx0hms-~4Rp6GO7A2_W0UCokf&^)pL8--Lnsy#Vylt#}^?pS{;5)w>|+G4?E=-6J7 zK@6e7DQhPYT(GMo4|@v_89rp1thT=Tc3jHjnKTYoQb@PI5)m4wvMNX=c#dQs>tbDR80XaOP2)`DvB6>K-A)9k{r z1oJ}ys)qyR7WFxlg+?SVZlF@m}+ zn5%o8aWP={4Ygu!!L=;`Oa*IIqmTd9=cvHK8=h&;MA~}OMMQ|QC7#1Frqp}%7DL5M zv|CkemZ7T0uSOnCMFg|9MBcHfaAPkJ$WzLLo_-f0_dP@q%&2B@Re-zpdN(~Ds`wRl zMsEbbShYN_Os3UP3$nit4@&s7ADfWFP()=}NeTM+z(yr}8KMOhx1`x`h_H{#yUneB zlayD4LH)e?I2+T3hTAfgPC(V6G<$evl?)??_56p$z+T(V*lf|eEidms3V~o3fjRua z!50QOseLKm(rvu&Eu06?* zQ8Lx)=g!vWt;u&FQVFPpg(;txuZ%=k$B+Jjl1zXB9|y5^ATKbPFA4M@3)Q`sXzr;mK+0UIHO*OT+;}8 zxoRDd_RD&X*uE%g9Wd;cG|^Oex5lNva8r$lki1jdM99c%_f5iwob|50@nKJc6LT^{ zTi!znbfDqY6hTLT_cPXsC|K{07LgfR74it6YOjhD=6X^LbRZR?{L6AuqW0E}w>stC zwrt)XyP~myNMZT5=6hAiHKLEd(e*h*Z@^E{gC^Mq>8m>=uKJ{{JDo6Ls&MPUR2gzg ze@9?s8z9KLxwo>HJ4s3paQd2eRIk2Lg^icx6_#IVNc^7uMok zpAE$NRu^N=wfTPfU?n~|#ycmfLAw|%fWgaedl-->XJHr|Q4t7%N(C5;6cu)JS%)A1 z>)`bpKS2qA0B?)UTy5%f-9Qcpew{I8$=I>8iV1^IOP@uB9Pzv(1tv?yDN~2 zDug2xe>`n^OUU4DgKMnJk#dr4YN03FwLYyRAji}*b^`B?4Qbr5r8_O&Fs}Gvi&f>{m{5oqXQ90F@S#`<(2V; z**efWyY=U8h5{hCrjI|0jMs?mihHu zCqeLIo^i|Kxaw_H*qU$Loxy})aR|mtIiNu>N+hTyzUij*go)4&%+h!H$Es>A({-|% zSnC7bx?drPI~zwu!d|N2U@rI0y$T3=rxgxJ!M(gNUPvC(B+P*^7`MBo`}Bs)%CCLx zUApTEhcz3!1ueL9#(HKzr_vw58V)z0ud-_oj_%&G_q#3XD0%Th*#Rn%_nlwsspHJp zd+N!OgjghnoGWL|q|d!C%kQ!u#;$Z9O*(FJf)(!E?zpGOmEX^gN}$-<%ou^8`}c}Q zmg07-ENeC)fnw~DBs-KG(e++gy^M5fxCRTO)v9hhD?7S>VkrYHAHmsIsv1IhowBWy zyEC&~6)%hhqX%*`fUK9*?W6{x{3~dJU!=OL(>zs4TrZKnegvVu5pRh7N*Nw}e7P@{ zDc&_JF+}8+M#ojMiCOUE6O5p!SL9NAoDE8{{YkDEGsG*tP5V{e*$!U;&-1^@B|JLM zB~<;v^S{X@(4FTJO#U^OAhYwYxdgS}qw1ZbR{jlC`g2s{e?_&A)uj^S|7+cqM%{0t z8U6DN2H!uT{<{nY%T2y#XQ-dp{+hwCk3G*|(EnH6mC=sWw`K1YDN9^tIl>RLKBi;q(Uyo~Z4iDLU z1Mjr7+0fF;5#JJZC~bF4j^kHZ&0X)JFDWqH)4LsZRn9o6Z|H|iprz^O84<$7UV)oA z;Ueqz(+}Cgm97amU)FB5ViDL_?EE?;$*pL?b?fpS!Ah#_oOB53i8IOf^1Hhk6q^^@ zTMNQ#Uw+fU7oda=NwW4UM`?x1yciLVOmgL`YtTj-l`o%+Xnol#6{zIPo=s!lp_vw3 ziUX&oSn%&Wn_s%T8rIc5wZS=Ww_j2ViD$=tblH7Hrz${Y(TQ)~3rCIkfZcGo2>Xuc z)-gEUX=2>YvLQVUk>A(MtqCh;q8^h^RuSL@z)P+8JR6%;+Y-(D#G3hRdzffUX6!2^>8?w#-S_YRDDd9P~tT2HOyd^URw6ruYluF5)mWl?pW zGw!NfgG8ntk87;eD;8C^d;y4&&S8GLwcr$S5$L`a!$zZ7P z?37Y0zuCtWt8#p;LJxU^V6s1Z3j0wAL)NvCB+I634)D=-@;5iZWFh@|5*>-u2Xeb0 zYKds3q+xW0^XqlF#UR!QQL|??Xy>GU&7(R95 zM@iUOqaxE6b+8{H<}^B$F5d~2cUzKlgM#N9<};?+saIt9)BB&8)hfpZ?g1tzrcVka zxUwBvICC2hI%;LWf~EZjcQaZ)R~l8#arX6h)mu(l%Z1n)y9sqNN{Q*wehp|Ta3Bd1Fl<41=Irmc}q8=E+Rz$2V|)3vR7Ae z=%*SG)}0v~O@)__3SPb#4ABdt&`M=RX?8UX^e4U~Hnkp0)L$W0>X-TkUMq~%Nt;(En^bO8q^PGmS$C~J zg8R)4CT#WVD6k-3Thjb9-Bqsc5uLkN`dNqX3w~FXrnEceyQ0K#Y39u&NFE!2Ipk)I zkw;mfY_Ej8h&74C9DvI)JlkuR#VMuBvf3@rsD77e}`|l-i`zX%=Eq&vXYIku2q1tnDY#Sp%8KvZsIW6H zm-e5S|15*y`3LiB|4NJx6bt{T_Cq+INdA{>pQEEtyonErg5%3?gTuYl!&U3DtDfrO-IWLfqu{Wx6`3y|r zWzB=H^w|YC=f2IE&r9oCgu1tCnC#Kl%4C%EE@!>s4=j>@M>(<9EAxZxS}XYto^{Pi z%8zNnsC?mpkiHD!b@8qCyv~7BPLaM>#EPS~2eu!lvfiF#)JAJB0m>{CHk2zG*&luq zyAj;1nu$V_Xje*fn(s1hA9k#X9vg56Zi{|p2giJY6O}8rK^bNz983en!(!Q(16rRy z6B(W7fMoHJRFLJZ$hHAFQdmzdjxLpUXl6>-$$Gz>Wfp8M?p$s zBXHTe?l1=H(G9T3!&e0#5U$7WZ80xAJ(BsI4Qj$+uL~44=pY8Po^Bp}?z?ct;w9WS zpoF0IF^#0kPnsqUwvGcSd2XHWzGG`fMDtDc-onkp{g^}SY#$T%oedjjm9giWmrE7j zjhV%N<=`El=x<(l70T=r;>Dcy=)S_)&68SHFPYkFjAX0N$w;Upx{uhKg{-u##OQ+m z;~S$NJ6*kEC5Cz59Zx1q4r}SALh|I~+b!ZH$Njw9k1Q1J(^vjbb*D()ojk=3hUboW5;dV5(nTw{i=w{bW_wx8SID2G4M62tBp)D zx}70Z5!-SQ8UqT{ms_*Z*^m6{=%L|4rRBGqP?Na5TwE=sGLuO3-u8X)K+1dH5Qr`R zsSCx+CFRDTij8rC@|CZn@c4yIH(zc#x@@Y zp5kjZ(BPNA9l1{tP&mBd%NJ}wpv!rJ>TA_efDFp41{=1t4ME`shv4`>Kz9#1!WQ7* zJsjZcK>(&13TFYw&7Jxl4z~xybF3<4K39UwfMy=Y4s)t==i(~Fiz$I6dyuyi%feTXFHg>Fy5j<;M8TQ2D1TKu=pw#(I%+RLZY`%n#Z zR-pgD>Dcke49?pbJpH9^%lMf$AAbXF>KXH6{{!=%XE6SJa>q2Px3t}Qe6bSUg7bbJ z9AF#VyX8WSo*u=CRY8p~-h=Y>O@}1*VbPl)qNQVDnqi}Nd2!9Gu0p=+vR_9>2(IY9 zpJBW&Q926`KHgJh4Q@*HGCTwe6vn}xieT6U%i})KOUKSP$$Dc(bwtdbnDXt;sf$`h zF4f3Jh;+$K=6Zc8Lsb5FeqHzZ{!yn+NO|5Wb1W0gxeuORg~1npLW-l@S4=#5d|=4- zNePpZ{a=m_4|XbbsaiYGh{MpQgSjl$UDfe)1|oy+iv{laaODBFljQ3AbI@PvdPW?- z7Bk-j6n?r-d#jP=%k&b!mwaA_@Yg7t=1iB|FQV5QLIW`Azn2X=}Bdf7%*CHW@aipla_wSx^zyX5`D#NL@v{B~$?df|%yjGvD zU~Nzvn@i=wU(8`@K-m~t@7r#E#oVA9a;TeWylTtIAKg&C7C-nPfkM_SVzN_Tml)&b z+M3(nSvc&=_5@j{yEoJwXfUtA^;;;u58vS^V%o*M!$2BrYnAJ#gxzi&KtDt?8c875 zJ8$^RhHFD~6L+=&*Jclz;BfD*`oV$DA%U*2H4n0KV%D4`cyl&~tcS9(Y>CfP5EuvRd_wcI@x~liHFwmll&zxRM-xdlZ0E z8w&*+KQ*0M&SKS$;mXp#X{Aza)BZU}49C^!mu6!CCYwKAE@(Ur#@)Lpocs|ugRhG_4Zi}Pj!FCK?HLznm8 zJwab&)ziITdSD$_uhh`wU@yJT8`5nt{hjuzZUdBW9yfY#CrA6)&8Y(qmzX2oxOuID z_l~2>BVK$(jVIHH!9X3cBET4#JHBt{gL~a5N!86Wm9pEtPQ5DzRl1#o@Q}lRTehm zU=e;x)W8!8$}G<>kC(sbX0CNOQcNOd_~_Qifru}=p`6DiEBh#y;lgF;$Y}6t_@Hh7 z7Fng*LH?vDUz_d~Z^@nxs804zOaXfBDASQdcO#I5=RSwyOPz0GgSLx(6Epc` z*;!jVJF^Gxsdw?Ug4jGDA6ex~EdxpsB)CpxgrS0$cW*7!>vpU1>FpSAWV?S_kwLcw@ag1L{N&nsZ!M~MC%0S(RPA(mJ-Rl&w4o| zz3ZKUK;tNVNxjx~&)QO2X{-(G>M-nqUU!bDTNcr1g^m7&>9}~|es8%SC&#&moW=bI z4wVB_hR|v}JiTjISvk#)oAGzYbA$a(uK#$m%+tsg+#S zfZQGNGLO)dFEn3sSYs{^86Dgmv;p$>ZpPhg-S!3qnmyh8>5y}y6*-4rT5{KQsu6o< z+02Elpqt+er{IPS>XJ~cx15Aq;XcMZ7$P+`w0$*^>v1eMRDXegEmMY zK6Y?w&k(ssheuU6V{g96i^)0ZR`nhYVr~P}s}YY(x9UNwNHIJ6lXS}JMP1G|2=5*9 z)|E@t{hpYnxLt-6mvYyz+f03ODR$-e!#*+a_Q+sfNxTO7HD!x94VOy#23DgrR9M4v zNbgACLYYMwD{_1>mw3_=Q0dm9&8Inr&0Lq%O9`tB8nw2;gWEa?Z}=?qbiI{Q9?IQx ztb9BmdX&C13$2A#`NYvy-dt1|S=!GjywhXEMgW=<4w|~Ey-BV(_o=nnA`%qE3w}}WFmdL-(63E@Ami@~x0?TpndS_93Fv%Tfl7VMgpJbnj~_Scr~j2?9Q=ttkDlL4k6?{%@{4EELELqx&$(U~Pez|+c-TY+ z6fcW!{0vkx%>WJu!)D$Xh&&)4wM~)d2IPe5#~UC0)&RdQ zj<+M;L!4ss%|5eOF~D1{l0$tc^_ypK8%L`08fHn$?}B4z@?aF-(FvW)F-TCGB`Trw z@YFr-we>D&*jkU<<`#eVvze^w@CQu$>7h@nO-ZE)4m@@wW@neh2%oeb1Yy!opGs=8 z8b3={>pfj@x`{F%M;2A>B?V@i z(mr9aT9$&vED)_FvhDkKG0zRtkX(pSrZXl<5Sg>Wpz(=4VlWJzKD#H6+6wU9MptTP z1`QS`sEh5VdL~?<)tbL7_pN^D)%ChOVDRiML%Jb&@MUp+8?bb$%V9&hjrHr{ptF>7 zhb42+EkN%DBk#_S@>fk$3>%PXkjtkx>4Zm6xpA6_mD7vV`&hY!tHTr#sth9u$fhce zTYx39ixWXPA5YJ-rI!RIo|l*OjoR)r3`;sp3HJ*p#kFy!V@e@T@VV}_Y2sLwCQ+mn zB9@8yYO`dOhx~MXuAi$X%E;#Fqu|RWf!+yXWT2_z)M)0bNX~|zyme16ySQBLOVC>3 zW-C{BJ53xewl#QifScV2cu+*(T~6i0N!yrmCk-bBj4zLDky)R2guWe*PY_Mrv1Czy z902USvZnsU@QKF!Oh6WuI8@#|X=Obmp_D8Bey|HFNP47FhWRtGMSNa=$_S>{qnzd1 zJfh1`6Mf>(B3248_3D<9qNhF0-ZttI=dUw#Pwth}~plXeirjRKfUXs_EUHFT`frX=aJOnyPDLp2SEVH(HZmK{!h%m zEDtbI|AYDY;_cdd@SVwMt^M{cC2Z~5n(WhV~{*i7|h>6&kNXYv*R zyuWT4l4Z1|6F0CqV((U1_rqa<*JrfsP@ZVQt>B`hvsf6jwG<0^HNGIRm*NEZUW{Yx z(l>hRs!8>caxj!IdR*uNXo855JkTk|Ek z>TJCjG%?C)Q1m2*dO{F=JyNE~@u9}p=&q$8>BmMnbUUl{Q9EN+c7juV*ERI1l|ku& zr@}RDDRu}rjdq{rx*Y`oCSO)LNq58lhSey~$9vq9hkW=TjApfW}QIe$gHJdz<`fA%B#k@sDfy6J> z_@25jybe5GDSXE&UqQ| zN)zAH!akkz+v{gH`mPX+A_2y9qBvqX?NqOEg8J}L@1*GO}7;1 z>C{0#zJD|-bh*$a2~vVs39H96n?15eG(Nx3!)<3N_pq$8BmS;fEuavP9%XXPjBA3m zFln;c_M;9I!y(G3|Lz)3W^-@8Lr?CVES*9xNsTnl&CGq4!)(pF^ry;mvCs@1vumI3 zcv;UaOWtyxLf+QY<`VG5sB1s&R(Dk&$lx#1-#oO>2G~t4qn9)oDX#m>QyNstl-o57 zJiK|CP+|odLPbGtH7e(^&;8aU0MYU*mMD9di5M;$RUTo%@ zTXyVRvv19_5)-HPqkOw{6llxX9cWVqKoxj>b!p|!x+@y^i)1=ocd$+(Nmq=`+`FmN?d8T7`c<9 z#f?rzF6*k^dMWW0e8*p!n)K;0i;Yhm8Ehb>N~p~1J<&t?@+vJkhGcf-OPgeZ1li^! zM7~Zdw}%B{lglVRm_62xXs(E?QUU} zzEPTh;_s&ehbq~Z*mi$yGW%tx<3VmH=sz88|8zRy?vchmiCI*a(&3%POTZkiNpkI@ zr(Rz*O7hVpGt6_9itRr)`NaHc|dO&^P@pmiuzJJe#Ut( zon($)De&xZM?d>1#h36w*|=I0tu9wWYZZ5LsmNB;;q(X3Y%=u=HdVDcuW8-SrCT?1 zvqV~w6;wGch8mea%H2VJdF9)sWVxYJnr|&Y$;t9|_d?V`G9!)t;^+Z$RR7mud;Ke9 z#n4B~yz;B{U8vzy4HYts8a=;>@3m#eFUXunz;CO*`QzP3T(%b76RXQK#<+Ny@yE^2 z^{~xHaE++2yL1uxudRUD(9noa-%X}ES~#by z(8dfCZuYa?`2^pL`p*5f+k;*hSl40tkbJo1j$ei-;dVp(&$ioqd3P=DI&hpZzW|>3 zo$*h}on8N|C`9mlLH}YFzRM2zAIu-$FgB3XC)rD4G+2A1^s&xCH|l`}?I#J`DG`v< zrl3noJq)w&_xn#B`6lAn@#;y&PUyfVSWMo%1khKp1ZuN;~>9FXVxlJNYwJUKl2 zZ*u96&$HU)f1v*+m(FmW)i(Oqtaju}T`KiW!|sOK7<3ZJe!@qEL}n7tz3|7SfrJ129HwFlt8q&z`(Hvg*)_CKo)X3zFpOPicq zTJ&#Nn&sTm(|=m}PsJs?_7Pqi?7y|N4am+3#P8}1`d>@`&ssWB;_B~od7qtIn&}@c z{qL%B2pjk;&Me&$gtzn`YDjodR-SJpQ;Mv3QC94kF7JO*Lvk|r<-@OYSz$p@VKD&# z0g5Y%F3z6T&Ypaa{amf3*v?r1fM5O;SN=(D^{KTLFPnfEn~tR?Uc*R0giSy|N=Qr! z{~J}U#}rq7ueNF}ENLz%C~RSFVJY%oYOB8$KGJpZv39q%;(OpH#ipRI%df4BNBC1B zN#EAo-CEbh&e`*^wYk&TKz5ea9#U+ABK!jQFL43EbM+)GeLi((Zx;t^1y@)6i_&a* z)^1*Q?$&zN=2kk+j(!wZl*~QxANfBhH2v}a(X@63dD=>`i3pzw8>y9Z7UX+6263x3gCWE?iI|B#=IH+ryGq38wMCIlKOa*83Ms&!@m&1hLKr z`R7J}gtpz+L zPwfKy9_e?y?qTg{@xQ#zridrC|5;wwle+r5-7xUX(qW(ek=Os-qQ>942)a#slq@owqt`ey>W z@NmKW4E06DKcfCSA9jI_&;1Owh4deM7+%pY@}(>_vj5zNx&D9U!|)rMfAL{jF3xx{ zJ_)>HxZjx%lVlSTk`fe>5|Q{jK1^J|TG&!d)Jnoq^8a!dCMY6u=EGj=YO7LQVZ4I3 zD22M3622z+%xMu^Cnd(;)1Ov1;(suBDjRz0<8=vr@IIG7!OF$Lnoa#IQaJOXes0~? zXOb^M>PiZaeWxrict^;~MNAyw!?t+u)yXA}cM9KuRC^?E>&Q63A+O-B7h18Gxxs`) z{||eA85CEyZI8pSYiI7OoKxBooO;%Jr4i?O!e<1`f!r$Zkb?8 zIM6Y1CQ!t+_-$nI8zWYVl@#em6Akid`lV!>e(+g3NDT^TI4Rsv#E6DIK7icFKzxMPJ>>#+~%ouYX4kxi&6B4|A zVw||&{xos9iY(Za{F-p%2j7(2r3h3nYqIz+H7%QzXK%r}~l~#_|#8;`RWIVjl z?X=W3o?n&@_cCAHcN6Ttlw5l)4!d3rNyWT7C>P&VS+yZOC|lKOx`=$@?l1hrLBYaS zDB2RAoD-_Q&b^GhPx|dk9S|WtXl-I4zh2em2r)du4o@;!v=^b1`hZ~+qmKI-+208K*|ZzBE~{n zL!xEfBg(SDiNhp9pA&x_T=%WSK@>2y{Z!VaTZU9IgR8w_Zd<;vPTczIG-L`J_l!=W zyR{M_jZ14&ySSplSvEPKw6qkHor9x5h7rlh$?0Ie!Ac7T4-b!(qLHA!zJ6i;tEW5i z;n9%;#ZN$k^-5}RYHF%SckK0pf)wt(n>9;hJ8z%*V=V(i6TgMSLvV}T)*_xV%Tj;k zy)F}pdNq#QeWhSXEq3LOit1YEW_RG+HzY}AM8>A|TY$p-S6Ocx3hDr95$Mnq(^s8{ zcXz>Do1^Qq15@_{bRQ?#t|VFHb%}<;CfuV^Gc!%PoJ5!k3k%=(dg6L@JhODY_nShm zX7{8vQNMUQJ=KL36cn_)e}pd|X;YG!Q(gB9`3N6pyfweQSvA?&g|$>{3lgZa!wSfjH{MOo@two%@gNAyEQ8XG`d@*YLKRy`dfi z0&eUmf>~!k0wFJcY^g|sp{^XU;2OL0^)7lEdMPa}Ey|m-wJZ_T`o_khtxjLak#qz; zhSRnWHl=a0Xt2#8aT(gm%R}{N+uC+iE-+M52tO0vJEko(c;bvcpx1q8f_HxP!B)Fg zuPFP&c|Ln3cB8x^BQ=JHcr?@O&ZhDU^XCYo0FJ?;;br{~g|WI}0029feGLC#emj)A z9X^ImCdwPsPBaX8&RA~0?<9W8Fyb(iBI|o`N3W{R<51EwM1NKTeKEu>I}vfOA6Y7@L>fDx`cM|DC}UPCHQ)f-5q@SH-3yyB&RwBlQSG-`wH zMJj2aJ}G2dXetL~W8Mt=JM1`w3b;VDNJZ9IG8_>#c$_o_@@xX#B$S1(r_S3%r(P)l zLecRJMid%#k+`E$Dicj6J0G|vGEe*v4%ld?{MPj42Er=kj`M3(qlYRsY-p-+M#ybG zL12PY`H!6KE3p&m6OVmkW%!x_G|ItvMOvTWR&^^f6Zqt>u@U0=kklu%I;N?HBJqxi z9;0>q+5xi}We!SS4Ia4P@4i#A^Q4a7!>t$lhM^kS1N21{QKK!Eff0LL5Mv!HpfO61 z8;@I^pC@aW!0SExx7Ww42vO{t9WI7uB!Yb*HW-_WQoT#H$t%$X7NR z^Lg4loCnEgtBSHGR$>x&Ke<>ZHFlz2aXr z{qORCr&*OxBK`k-Ms4t)M+MK;2Jc_8|Ba|*zoRPrHR^xczx=tvT@1d@Ddhox6|l~H zS$}(<11C1X9|O3;P4%y$0t=wXU!opN{Wa?E3bzNDbAr9t_#%~O5 ztpBg{`Jde)zkpo~2746@^vn7mU{7wC{sx=kUxHl-Me!T#iNAvV=M;M>hTQxEu&rzy z9R9D+{r`tUBwo<&1f#tMM*3y_545K?%zmRy_Ak*cf};G5_Sj$1{$2XI9mA3e^#I@6 zWr#oj0otZE4#xWShGr}r|95l$=Wp&cFx=~4s9)Cqfcx8q`ER&M{w3VSP*lI+{;#vQ z{`{@=a&!Os2XMRCS{YkA>D$}excnd9|9QL-!9B@C=)bJL#T$Bg!vgeDo5A`s-hZzK z2pi7e^n!Ow3i$T^Qy+^~4R%pH{Xbuuk+e4lpBnhbfgFFS0W!1jvNQiXwHY>jPGdt> zRs%NUKTZw&-&>pEVEae484&n>2K}zhIJmi8fnWSPRY2(Uzf=M1-f4v-s9`=mjWkDY z8MhT2B1noh4fOx<-)q7y(xwZs6vn~jM<@} zWqI|nu5hZEeS9bV)~40w(LIaj`F1beu+Z9MjAw7{NcZE3jpxUcc82;^Bm(*Tb3bUy zI(qt;wWe& zCr!|t^%xispWCm-OuxF?pR&7WT#G-0{6pxU+>t(WT1t4KGrOjH!S2t^jVH9oJ)`@K z3Bhd0LocdBV2|hh99$)2%OZ45h%-(S-Wm>xH%-)GC3rnE(jKM3GtHmqa@sJG?GdVu33L17f2m)(7%p{}Wm5`SKadO# z(RO1V*OW&4N{W(ywG2#6?z<_KH({OYR=#N|Yl~K$$D~S#oy?BGfdR_G#sqvB#f-2s z_AP%0%JQO=r*ivR@*aoOPO9aaRm@*B9sSVVx%}-#js@f-oHz}XI1Qybn#Lp1hRN;2 z561Ip=k{T;r7N4X%A|XCUW13iu}&lf$j1Sno{8yxX@)F1puD&+hLbi#Xd=oI7r@~= zYcy8&ma!;!?2Df=Z{<5isKh$%^3GU!y>Fslf1=v1Z1JAy4?E`{g0j(>)s#uYQob+R zvRP72Y3jXJO7Up-Qa3=o=d!a-t@t@SIQ9(z!`u0rwE&c;+Go*G_2IKDixA^00`fYc zqdf#7sKT{EM4HNA{pl9}{xsWoVB!2s4T=o&(pa zOPd#)B`jniC+>jcmXMPjCQ=8+sYs?E;hHD#7(C-%{QOJ9S<`3KK*$L-29JAE+tX;x zPq_O9r)J-pzj4Mr>Ony0`_VVp)%|d)NexGqX_bd1gc8R^*me06% zYW4Z3?jXijGW33Z+|8Nzd{%O0wIHikFqapu*I26PYiaJ3myqc~NR3LJ11?))?LEWy zOGv6>q1+BWM59$V#-ePezGlQvln!>-YKy_81HjOpsJeMd#HURJd{+54Pf6M&9(+!K4 z+KjL4AIxu!a~6WFse}%6qJhJ?_k9NooRD>-E9kLEgxDCO`Tpr5WFy?d4d=^2Nah*{ zy7c|i7_!(F9KmAFHN5j>-WF7Ew;Q=?i-`mju5a`wLb&Ire zmc}E{M|iq)XE-2{eqD0*t@+pBcJvo~p2V!`nr7%^{*0+9JK-Tyr*=1yVVn#To#`!% zJn1|^r$@ui3hqqf_@K5>b$vJGWMsz~#L zzT4$hg)K|(x*}!#?}_d|nokt!i5!b6HG($zJwLzt+kB>)oOR9ftU z2DeB7M*OcGnwMNC0_TD()L+)$<^q(!#>W@c=Uw+lF1*w#{+qP+PU)(HzrxSnJq zYfrXaz1*6~UbC&k#1pL83?k|yP`%F=8&tYa6h;-TCs3@T%9&?&5w#CAu*SZyYtIjc zWec~R&J&N7&4Y&`Fsz$B*R4eFJsz*41imRg+>MJzWV32r9KWr$$Vo~3mh}8^KQU9Y z7sF8FMkxugzI$YY4ywdl9O9S6VycR3MnUg*K5fOR;YL6~nJ`a&?(n!Z@FntEJ|2A* zzRLS4^ob)-BUyj*=b9I6a1n@V1RDg6ZTjo^SqSFo_L8dSY^?+L>EX6VvGs8rIVe}) zS#2ru>(~3;qu~zkXIB2lbI%I5`|1IZU8Uxp3)zuzS85^-Zr4?1$1@J{@@+Pp!J5~l zj(FLTQ8p&=QrTXX*9G{Iu_&F8&pRh|pjj(wH<7|z$mk<4NP$EC%kEhW6d`lpUR4Qh zUBTO5D(ClS-j-iR!@a}vKQS?e&S;Y`4X*YK4-fmyjp%-THex;z`h>hqf$E&;bwfIM z5Aryj3g(Os?C^So*diA4%HHog6y5p?K6gtXP#l$cEMqCoS`SerSkC_({N{1Ed3Y|| zQ>tB=G*FYHqlkxD>qI%>i~ubYO-)Vb_~4PCi{yIQm!n8(3Zmb`twG@^a&Etn@{8+o z8himj7=Yl|hj~}!KJej#|D9Tv!PN3k%Al4n)Z(A~XKH!5!r!{2z=jIy7iu|@`D^{) zcWF>O9o>qh`M;MzUkGg%9QB`UYpi~6YcT#C_3sfH5hH`^OVqrpKM@-Ii-qIp;n3(m zzpeR8%bEGV4nt>Q=jCAKW&5|bH3lZkCY)@BhTQ+_35|=56>R?dyB%i`*xumwo6%fx z-cJDl1V;a_4y8OYlpY_KE(g!^QQn@1oSX_WMe!6d1v8l$Xu|3n zO#}i@@PZ>3?hepHWW+S|kN9{dVQqhwXl2_4gU_{GrS|1L{m}jCqh<%Ggq~DG^jyZi z){#zZbkdsXS>+S)NLo@-5^PUTkFzW_Cd34A%o@i013Ejv z$U{yZUB};`LY<3trllkMDBb6J06HTO(_xrdSw(m66@do_2W*3#DS-4(%FfO=I!5cN zKC7!AAO_dJoyq~m`H}UX{1MZUgm?Fv>l9uAD$W!x3tQCQz2l-wkV!yJb50L3l+@DJ zrgxwQIQMKB8ymlBTAOwxaQMWDgXja`4K@`4p|)u#DJjWoRZf`^U}V?Tsmj94L2kYd z80|4yqZ8Yq1VK(W1IW`aYi*r9G_|zS0#>G? zjshHj(yqL2%ye`gO=V?eiS>FUMoIw77N1Z|$h>TAqXAcKC1y=_E4~NV>xj4;Z`H&u z2NcWs-#OU6*A)%S;VtU+KtZP8KRYvxT9=P%%g+yBsMdDi6vmN=v>FCb-<3djmOIM; zwE>I(Y##)lR^rWV4}cp~&lV@u9_0F`tns__bYx*uz=)|3_;nt)i0vINL=!+8;7TX? z5m=N(;)4LF+%yy0WZwY@b&Q4dcg91A-`w2D69PVnGWHHQl+nu#K|_mNU0$M_(!0dv#U2%Szs>n+5#D=1B;u&xz1wR1Jb zBR+KoeegFHx1S#Gu5ES3h5}4_>Qhx|DUy#Mt4+r6Oqf5Ab%LMrK&+5GWWY~yKAo+Z z+B=H%T1=*2tQW+HcVP25X)*Qb2V9@w#OUs^bUKM?X)Pr~Mze0lJAvrw!zD5k6Z@Tl z31j$d`S|A838oxd9VDY@l*Vik4UHskmac|+Mjep`(enKk?;YI z)Dd2)z)+4kVgOkK%R7{)VWx`1J4nS+Cn45%x!b%xc}m9X$4`5Ancoy}Z9TBed}4s1 zN8Yk_DeE;Nn!lb@Ig5sRqFLtFw4c50xW|;$SJnyDq5Nrm=wy5zy&i@j6=j;KX;uh2 zo4*68D~?D2tR}G*0Dk|=p>*@JDWd^^?LmPTB@Qcv!wd5(fql3Cl=)wVX1)J|`H_9t zl8Sx5jgPwTAVXve?kHRORUbf%rzBm4b9-K69?x~q3H1xpa!uuvQuhGzU?Q+2S{}(3dK>sM^CY@VRss$NGklGUsBKW z>eF>64NC`586FQ*UW~>XmIf-T!-X;)i`Mc2ZnDXg#P%>LS|hVWtx0F9 z*5?WRy`iO720vnovLMUlpZ#wKQ2=gRa7*7_;|U-hNhKFc{GfZao>V-P5D)i8Kz26~ zU}iw>P&)%h^$y8jHOFwuMZ8L!b?%Oirx~q%1iCP4s>MysAa<9UvuB z615N=uqu64G6#S{_ETEUUE6H7{4IwTF%ITZaQq~)+XMg=Ns&;)mQJqH?tX25W~(H3 z{a!ezAZE$1?}#83YQ3j4@4!j&r|p(bzV7eZT$VomUS09dhwdih;cqBAN%a}-1xd=H z)BJ8AU4s&h79ww^VphDGQAm|pFY43SI7iH&G+IyST%X2VvRieBB_>qgdlESxUzdsc zdrPhGQ~JDfZC1O230E!SV#cU9!CAw%O8jsblt;os@3ywCF&vq2J1(|?`IuMiuE@0r zojowg&I_Rj89fFVkt7o$_njbJtGWkBW5Uo~G70z%J+Mr(@?&sV$@xH1-9pp!S>e!V z*WxO@C%}+UtFJmZ^2g*!^+r+NN#1R=-`zUs_b;l+KJ~aR>5$N-R-{2XhR_4Hh1 zz^{HTnpC+ry2n2&CHBd=a~*t`k#o3`H?uC3w&6UGL^nO9N9#nK zc}qD~rEQeXz*YNXyf`#Sz>S-NL1QR3{*j_r=?LP^6TR?-U|{ zQ|ag}+EGx1-1|7VPS3Mf8toTHWrtLd1PCJyL}r*Qp}EF2?3~&2Q-pz)?;+#x*2?N7 zr``SA0h(AeR1Qa~Y=$PoxOt%qGkS?KhOytRedHV#`C6Q+Y;`dBZ;LEiufDHo<>Vxqo3FhJzf z9w_JA!xsC8bM}H;qL$ns{|N!3D(f@QNPu<$)dK9gKVasJ05I2<*HTGSVI@c(j6@_B z{|W{q=8*F3gO8pd*CwuyK*XrfL(w22b3Os(0#fJO+K(pd?;}R%PMZy2qG?fub81mK z`M5LEw&>yA@lq-mW({GY2c4+-fNg%?Xdc-oUg@>r>eV|`NL~s(m5(5T5)Xv=(E#P+ zAqKd5(`AO~DU&l5{$w%eCQrc(Cjyc7U)EG-MU`_Rfj<2fO|5D))^ zVy|hmYH(~KV%-@ z-6VlAu@6z;Tq)VQ~m<{n3;3{Ri)w+f=6e^@#Ee#BAMM zkp-k^8C(#cA!pRHk?8vgZnm7Z8a@x9@Zeegd4D2u@})Bp{oNPjyT14P7)!5&QE)8? zmj)KDv~Hu+vBp$v^7fq`PLfmR>S-sn#cGI!4S5x*IqEVZPt8~{%a7{XWVU-il2Zgl z_qo9DbC#V-!*BZw-%UXQW}vcXr+xiGfz)WiUBG>_gjy)!0~~Ro6d87t%MYzU2<7#x z0W$p_MkbAVeUvFaaj=3qINa+%Ob#c2V4i9)Z%o<(w7A``=Z&3KS)A~4J8wccekM1` z`-!YugI2#o{M=&)pn81V=y{tZCNIyKPfjH&Cr6-N{)UlLcsZzpwY_$H#SS3l5#<{k z#iV^~<}c08R94(D)QOx$YO?G#PdI+6hZ+gFAGa=l(*=9p+PLax)3N%Bl}w}FcU65* zei^zNH^KIFseJTdupvOH3((ZnrZ0IzZ+#PXMn+#;Wkjb*#Uwy&$NK z5J4CLe#|^9WI9xZM6v%Fxy7O(WlYz5kBqe*{mhL60tc5xG=9R~n*=xHA_W!%BJ_w(3i7{;Wj?im>?} zJ4G5=ioG&zf{@sY#Ojg=|*En?|qMM`E5v+#XROxWuI@PP&vz?Rllu;z!7e+4M_ zyK>Epi@Qu$0ooo;8Q#w5C@Lb+s^T0{AV7kZ>rv#OlhihZEfB1QxyUQ<(SJ+VYsX`- zoPANQ+CL#H?tM$J0di#}&8`Yw#*b|wGk#q1lE&qNXbIK3W*Wn~?V_7&e2%=QWGK(Y z3J`g0?+Uh61+X(1+K>Rt1O|+l@ZKbtA6gjdi%%m*Hx~Zt21(WeuWLh(F1`OQwd zd@4i&y}8<35r(t`o!1Qp)R;>|It`!Gb_(G|G&955&~O(>b$4RJV;6*Kv%xpW&y1@`NxH^Il77V~!N+^(<#kWb+o zu4ba8_e2vmlu(LOlTS9dxCJhfMOZ>AYs+4ulyg_bGw;>+3r!Uv9u07%cVx`Ynj!2o zC93AA;2OM+An!f=g%#Bybsk9{tD~EYezr^9ELeTeUS|LNEfZAiQQfxtz-1rU0;{2q z|2iaS+w6-$Y?&%ZBxJXNF=S`Y*F}-tBnO_2400%1+nb-8(^wRDkf!Y3iMwOpT>mjp zjI}xUBMzO8nImsDBD1+ybZY*rAEF3MpR!`J^Lqjz3I35PIc zk_&FcF^c9CVxtMe>#wYeuRwIw@5RaVta-_V>C~29g~>0qOdNe|1&XRb5mT!kzA(S% zzhM5Cp;=n{e`tP^&i#Hk3;7X&X57* zdu?k}==I23J3c0^P&4E(26V5(z7AmDd~KF0jU1z`JU@^6MNS?0>?Y^7LD~wm75T(g zly7oWP~mHUB$>|%Kr|1h_Kz_7bq25AV-Lk>u$adh=FlcTV97@mdv0%8y1uc^zp>&B zNp6HCgn`=UP1-En)Lvp*)u2_%s;zYBJHtdAB-k8TqRWCvT8}1Pie|P?fD?(K`rQpy z(&{HtoMB zg-&Eejy<$yA8y_jS`XPKIpXBabuHY8SSf$4x|uAIcB$-ax*g&vc%~8%@PwIAV&LU< zbJG)DJ;`~MGVv?8fF2=aY?-mxvf|@u0xn)Fj1%{wEWd(;RpA-+NqTe7>j9=FA#R$j zYQv2;mFeLd#0YQ3gz%G-Rkj@{t+OUlim?q;YOTJV+EVCIk}B8e3Zi3PCS?Ra2rlj% zJm=_Ye3QXD(cWf!Jd&B8tZywWftBvQTv42zM@m3S%E^6V%>=e)Uujce&ee(KoTG26 zHwZgxvKe7=h+2FgBsX~nYcF9(X>2{+1VJrHM)$gC4&QdE@Wc&A6_1cw?R_*22Wn5H z-(xq1Cn z*&B1tcX>RL3~_nQa<2?Z&|!M*xe3!?In{o7S#SnKd1$zul~ zI7r-e475pbE(qkoz6D4KQu`B4_k32c<;_f1*>Kb*2`E%gO-Ou)RMM z#ubj-q+cf3DBb$aa@C6U>=+HK<5l;MTf&9PAi}$3pjaq{4;JJd7O%CpElbVIM>Q8I z%&cYHu~S{H!m`WVQOnpUQh<0&NWyK|Xop&Na6YUooWgciu$Z$AS}A25STQJekdYGO zqng|81}3MUXmMj}WY+CnP)y|fP5a+#+z%zuJ&@XK12kt5F`G z$AK;V-0OX7@i9TdGzC=4I+gO+@$nH*?BHMse2IM_=dO13Oa@U7b4j=By@D}H7Tkp2 zjWwF6Yjy}z_T&w$M^whm%G!L5Cp`bl6+$DV^Lu29pA_ve!vGQUYnO5@eI zRU5^Kk~@8UMx)Us*6OAN!Y2e95KoOd3)^a!R+}}fjrmuhGp6XSCAj*w4BO0~uR~mk zjy-X0V8t&5eIDE9^5GmzrXvu%I9yJb-z0r@Uh3AmI)2x-mi2bi^M(0i{uT4T49#Nt zgZUxaYXwB^LWB?nFc7~LL5ke{qKRJi#O!55#(*0_+#b<_URqB4^(FQ8!P8-Pv^mDF zYKegCgH%WH7MhJ>TO4vJ!)^8hcUpT=r8LCC*`{y<2t8;w&=0Dsmy5U>BInETZu{cJ z0TPqY^LY=-nvnvJexp@efd~m#2TEAIhvFF>0NvdM5|C=+mD&AyI54>IS0tw-Zr>uO&!|QB?iz%Fq?9 zm;gIPJlU>EC_fU0K;9fgMody&lb8CS$7|f^C-~Ma5uxa1_wbPbq~0HCS?)fd{zK%( z@-~Vn*YhX1Ql`%$4*7VDi49`F&GBck_l(V@Im2)dF0i4)T*TaH%d1=R|Z*m z|J`2ANmuxs{5CH+hZcrBK7U{}#3Cb#=t`h<$g2&prSQi|u19y)dL?EXhBlXJ8!SDp z(I@b6zLKBekT@f37>YY8p+xk@k^vTD%sO(_QkOxAAE^13kYlQG71<}SOZQ-fw`{uC zH*=}?T@UkTXC9WVrhvl`vv;78%!Ws1R z*FIEdQ95Q`RAX>-fK*z%EIdW;cdtrUC_qc3J`b_)2gfUYdPmVi#^_D4)$I#R94DQS zg{`KIsnHuCI*QRm(d{=nFU(*RQ=O0_pN8;%sFZ>lOK0JI)aR(YZ%0~-@hySK2qKSG zJjG8+Q1C9mkTqHV)dZHwYYXapSZuM`W-Od&>iKCq%fx7!AYFKtA&7NT?9R??xNUo$ zRpJmS8wocU5}vbTHJ~l!@;Fegs64(!_#hMZP@o`t(U)$`ln10c06R1+j>_;kh>j`P zcO73ae(r;jKO;*!#3FBt2t8KMYjz^cH^P+fd?d>Z=R9VLTWrKFQr=?odp&QtVE9PD zB#svZ`Xy@2R%}j1?2#Qsn3{<|U5$Z<Na0q!Xx^WTh)C zn#3Vt=A47qOIzARhsZ85gUL=f0G%Y{7#cIDPfV>7-n)&amJ*msqv@X$6l^}R|u6eSJO-BRvL3W{yD0va}tFDQfHvDKC zqRt{TNi_2-(dtEe;b>68Ig$=3$N|?@s5fs=9mn~N>Io_{F1qQU^y=}@eeSO$KASUS zL&BucJ*C6^*a-z`;UUzltvB#-LFGF@be&CusQH&5Es$37?P*|3kHdHGlrDp0QEM&` z>n3jM-iNtdBsy*EcO(J4+KA=y$S_Y~q2r-1GQNH}+o{yQ!i5K55kU7Os))%FvEBh%=t5M8qI?i;SY$Zjmrn-4wUnU z4NV&{Qbf%tuxkQyi?K!1*jg)z9%7z-F|tHIde}gzLazrSKg8Zg)goT6y1~gmZopw? z-~&Vscm`<%5lFIN#g?oxIa}8o+qjIpTW-B~?OvE42RwAa3v69_S$}I;0ora@y$sFr z+Wdq0r?d!Et!jloUa2=qkR-E~QTH|y059lmP}dHjNqIx$4gEjL#oUUl!Y{P4eRwZE zHBBT;WVi~gjCI=a{G`>;#2^?pU>oLxc#QS7Iit!N?G=mpiR^LKZAld6piJ&FC@eG}`P2p85Ar8}?h7K6RY+R*Sgvrp$}WqR=O^ zupoAL?vBc-DNGKBrN4@FU zd;91J!ElHMFlROny?=OE6F&{KR6cX`@$mu3@(_b4Df?ySy@>p64~uf%*}^|)@S8T$ zaO|-g@Ah}5tq-Jv4~RJOD`9>1o?y;;qx&{O82p+4Hvu)m|xVT~W64ejwUquC0LD9ZM zJ?Q*v)Ia-Gzz;wmfiEv5p$cNswbcJ)qSK!M6Vz!SWJS zqvoG>s~te#Z2N%p=cs?rr-Wz75d0FgsOnEXCGZ$A%>vj(NpeLTAmC**2J)q-9mKkO zV;w`@vX%8E+g|QXN)kfST*xVl$g-$e1Cn@uRIWRScjN(m=uFrt=D<^0g`z~9T=63Pz6C$Oz zo&BJ3Y&#`HE_x4{nv+;cD;YaDBC+px)i9f42w}$Ye)z5-MQz%Sikz~M#)#+_jEMT* z78U_$NpA5!53fq8gt0j2v%`WV^^;HSOue;$)E=^*sTJCUf~G`h!Mpn?6i+c7wY|s$ z6C^bOlapIlF`~uyxXf+)HyQjpArTdWuOH;v57QC5uoMQKDbGQP%0@&jtFh z!XUHd4QDUdMS;lr#TJOXYciuI^Wvj;12SJq`SMULtavi+PB=j=Vk)5>1Ins<*=3@v z>*t-u6(qAP4={sClXA>f2a1uV0-PX6I8*y;EPW^LOt=-NPw72MxEh7f281k{33E}h ziNcW;gyGSj;ku@nb$Aj8yR+MFQj_o#rq%=ToLD^B1x6Bir-I3-fAE@^pXv>#Ef2{S zt4xI+pwt{O4*9drY;KSaxVSg%suLx?zS)=U6+eTK&lfh(Z!$49UQ2ycKve3gR4oEt$(ds)C_84+;g4Q;9R^;`Z`@ z+#pr0)kZ1gN}rg1n7h!{W4IRE**;Ewo(1=}RlV&EvKusHUXL^#JQic)C+yv&e~RqvKn+zc-YbkT(t`vvmT2yiQN6d>B$ZUNrdcZarorqXVT_n)bVas^7ypap zf}{8>FaI)cSABeoR$Iv2yXQ@S03+X(n^C(rWKKalf4}xSUHRUE8v{rOXM^312lk*2 z|9qDuDANo=*F$kCG=Y$Me6O#~Y4j`;5)&7~CTOD-VKFDz#cEbohZclV%;A3fX+rJW%2CfCk+{oxa}@iC$T zCqyd=-wX)Pv@L5rdEBYc((t_vCI=bjaQ5Vd+Rj+khsXpKjJv62xPVWTn+Z;lp2ot> zG+uFp;B++UzwU!DPY6}*u~kv@*?$dFB=DMRk|UYy`$*qB&@&+W89?>q|KR`eOlXke z9=zk!$-c%g=Q;rYIsLw4NZ{xyGxR59h(sL-pZTfvxT0HtPBQD_HKQK)B@(Ya^rz2Fe| zmpiCC;tQrjp^|H%P2Cx9l|%2|j_jv`N2zP3!;TVfwMW@IrbBEco9Q~yY48vEq;v3v zzA~tOlv?$wA@D{pV_c$;4#E!O7U)gAe{~MGRL-$@LW7|p8KjnM?}yQ}nU?h4xLM4j ztG3r&x}5onR$Koafz!8c?TX1kL*$$tB4`vREGTTJAnishcpknwirN|VDy$H#j)sEC zecc!4PyAQR|Kd|p{e$^!i;Uz+yEu|r8~1XYY+$bmI*Teu5h$RG#Az%HWB7%& zWF7W)xmUB*Y16Exq44Ry2f;F1QHC;_Xe7=+mWQo>mK2mi&2~^4EifvUC4&pwnu4De z;hr2ISL695x0bACVc&N%T5Ekha&DpnLV^gcp{ukmyA*u}l>6W$NfDjDjkl~n>ECK$ z5pVhtKL&&;QhDv^kUD8R2>*po={!bLkv}6;s@i7K)O<>= zirow?s#?$bI2oVGtvJwOc#1<~osKHvzj)sXH@vuxzX5-SX~mUA$1dzVbsGPf32Ahi z-a*0ki!*;`KirzApptdLZ2-3q!|qUT=|?(}a}CNuO^brl`0AB+ve*z|w43+6J~zkq zgxRD>iP^|_yGSbRDlSCmokj#P3>R{R8x_+TI`YestgG5Tgei(?Zv*w6P1yojVcxM4ExHiAch7F+BWc=*9$6E%Nix~@q*ld9)6#+$B^ zNdC?aeP*sv9J~-j=wKsqD&rqAK@Ai^@66-VLG??mgk{_)hB}+jQ1c*&hDO;-Xl+>1 zs!!To@uEGX=!6NcqMh7f93GPZUg%T*Wr&jGnFGZkn_g z%gi8S?j(bT4S2)vdCeyzA*_hrpD5_lD=_ATBesZoLiB3$+(E)D?`X~x%}=}6&k8N- z?6fP*9cJCmIbgyle&kiTgjwfdk>Sm*mg%y@O}+j=NfkK!fQF`me0d||YY<0wOM0MS zmlYab+WoU>nQwPXr{R+5Az42`aFEACcIK@jR{veGMGcbOkN?})OQ0TojKEyDsE(@(1O!DEu^ zh3tyUvYB6`i7HS!SKq{A;kLLYB8$CFLF_G_Ir~w?FV&1W)N^R5I9Yi}TDbVm41n#m z#zx)8iZuLo4e&s#X5oIGxjO0TV%RsLucUyu9M59_**$BYNwS!Gd|V6Y(Fs1Jt&SP% zO8xXWY@j0X6q>W8l3q4ZCrTDnJF3kovhm((lXbJ6j}T?^sdw75;7%`qeT`WaC+qWe zzzhLMuA7~fBmu=%+Bd<p5hg^0+MApF{QMKlu1~TmI!%@7B=%~P>i(A ziEk?SM-wWhx~1SZmRs}UI@pM>{CA70Y%gf5c7CPe!ZPbpAceBj^f(6}lTCR>27?LE zfPC;IXro6_^Hrk7h+Z$0-^^}<2%XBqkip2ZhYfLERc(oHmyo&h*Kf& zPZZ56aHVA!>IJv4Q-!#a@j;f4ofb&<2IuutShX-nc`POQ`XBUS=!HDHa7U8m@M=(c z>LgDNNdk*KJ{Qd>4bC5&;r_~66Z_>|jr(>XEzAf;gXFVY{C?0yBb&L=aj{a}+!|Cj z3gOnSmn?HWUTOtJZqmldZIU9O=uh4gaQ;oL1P-pkO?-^jiS>MeG5E&Vg90j!Ti5{N@;&E zzmx@()vuH&t>W|9ov%lJhP3Ll<9bUv4hWu$s>kICP5WhbimP!#&E)nvLa(G&nHQQ< z(=3m#KDQYYy$+Re4k*m}Ca9PAJ@Xi9fUBuw;WJ-=MS}a6Y^7_a6AbpeWnn${FZ4pC zr7aDlb)ceTxDc}5N-vp^hM4y!6o$y@fTI4+RZYcp!cyM$CG8=!dF zUukLi_ygCNnj;84C(3p8KG!2eR@r@fF#IftEf`1#fjRFzrQS8@Z3Alf0DKX)M9K@| zBe7od(IqwPd!v=DpY2`4l=Q{A@W!H&t?@5MtC@F}Nw~Q;Im5ZN1cqYIFaXQPdNtE5 zu){x-uo-gMb9EfBzLec(>+>NPj((R3`>Kxw{V6J1LVMYjb^YRLJoqSM$o`0blyS&m z69HGQRlECfXZ$L<`>b4?qoD5OV%5TgZ=?-kc0E|l4b@L!7{!$wp}tTluDjNuZDNXv zmaG=>wKm;QYQ^YR2W$!H49!udn$LMI%ZVD@%|0O*@fI883vv)(m)im>?GM-a zdKP+Vc1?K!DL{5kD%Tp-k3`-2M8 z?ovT+wO4VInP&7W#V@vDGcZJoI$&f9xY!4Br@^gM=^t3C_|ozE8n0w0b-r1cC4F*{ysy26qDmNQYquROm&7o;?-`o5_GwDWosP2U9f z-1y#!Xm$FYlywreY11=j{v)2j(RM?&b8Y!Y*1pcAeMXI~!E+Id51z6O+TNr%3#Nz8 z8Hda#W4bqvYuQiPfg2PuUp9Pr<;EJ9TAO-lCKcLjL*nj&D#CP-PJ^t-3+o#L|vfL*<$rLB? z{*OpiaOgQ*&j6Ds9iD5{N_}e>RCc~%O6VqIjpQh$ByNV!s|jT=`#F!J6~i>8nD2oJ zC=nxdKcH}Opj`kYmnJ9S^}CN>*w5`5hy8S#dmvfo^l#4MJ77L9FNO7Z+*X;G~p1qtsnz!@u( zOR=JaB0)XJyv*0^?A;;EYp&p4GWBPGB&AerEDtZlZDQ9Vr1cK)40TMbLE{<@ZwZqt zo;6~&gX*o_!Xw&S(E@*Q%=(+83+T5jw|gj-F%vJ$FI@Z2t3AJcN`LKHU`Y)zi1{~; z*!N@qu+?++-(8WLj*A+gb_<9d(K=G(n1=I&a_XqWJi;yHVOJ7^-7-&9m+T;&kP zta%ziZM+B_e%CFEO5K??N~Z7prQAO^w5G50UJ+jC+^0;2Xczht#||IRGm5=vZYZL_ z60szXrOp#&g^&|iyWdM{XX&|vCodAry0fE>YHdTZ%Q{zKK=hqo=ZOTW&3}@<;&Ora zSE7WYzZAW>rRF-LF<2$PLu5pWoW zAc$cEK}2#CQ2|Mc%Az1u!4%KhygR^u%>kd6kS9m zhyjrMe>LOiNZNhp?fcL9&-weD;@;`5s;|1byZZLbrCa?}l}^==aEbcTJNuPB7`I&T zD=o4|EAs~q|$aBcr1=YlhfT^d*YEY`2fmR%{4t6vOW9NuNn zP=&6CO&oe3l3lZ)PCYz4ZHM%&W4wq(&f*sO%~la{C#qy0M%zwY(Di6}puv=vtB+Yb z++X3ZR}iLladF||`E$zLdn|Dt`jLBGXZC`vQkKu|kFMcJPS_j#zMa z*{NTtkgzn|p>)~Vjjzou-zlYcTkAMyhQ;}H>4S>z*e^M??26>$pJPgv%DTTYJG&z5 z_Pc;NbA$RUOs(jfwDxX^mfauzQo$VT+jQ-!CsHwlm(q@yq-SJJ>$=nx#L~$ z%k|uHRN?CKkI5GG4Y7;Eo2?9z!ZKs~h4=^GWVu}9JU7yc)7QqAZKETcS~QB@{}|MJ zQ$}v-?iG%uhb%0!+~ZHAo^PJ0vZrtNo{I|aKGtCy&5jLx&A#MU=`}rO^Zdlr!_QYM zJZaLF{yo1bF2L#7xPAw^`&vi&X6tsHrkADtIq{8~zxyZKeScP$dq&r(mYpqkITiLe z!PO#pn|aBc{eKun&UKHO9X9NBB`e1+NGC-nch!iDnM(2_XGd@^YxucO%byr`sIXAY zE!;?KUr?^MT&R@#m9!qx&Ijt&1xXyzHA|}*=Q1I}WZD#y3%g`4D<}2UzpEaxIbe&! zGsA~c=L$ynhKxAbbA?iQ*s$`M$4dj>q?e?obv|P#f28C!dtK=48R9WMGrR0IvTM!~D_m%QufOF2cG@n_ z``H!4;~rm|ZL3f+v|3>xH+O?Wws*jQ!&my8Uc)YNN%lO-d6_bRlX%0UF75sAVfvvy zHTfAQciyRf>8ausesR;YfvbDZ^j|q{nX*UV^nA04Ntv%#s4XdXyX01#zhT5rP6Jjv zSULKR$wR{##ohMwwF-KcSeAJH&&p|A9Um-Q>ERf5glt9k#X0xnes#F@DC6~j zaT6Mob5^{loI2}irMInRdglH*N0t&>{q*W{v#JZmC2211y|Gt#JkMudz@qe&6Codz z>xZf-j*0b3m#-~%IU1OjFQuJ&=e%YP`_3)7t!o0_Jns={m|jz|z$DNvJ3MXM#cLPj zj%PEhUn*S&#P+XI_x@q9bwHzuE=B$ci2O?>1l0OhC5icEVd8jCDeCKgLHme5e3UbN z)t-!JxrMf_zot8!V4dz^lOgFAANM@c^CqwC+1raLHthPd8UX=HSIqSwpp++-mSND4F_UhFHwz zWxsJ!%t!0qHN1R6H)!VNV?j~B$QDU%eRux&0_R7o6#IlwUg5zf9CL|Zi>AxZ`d$* z+uAwDbB&foJXcpU=LJvoNlEUS@Zjk!H7OrY9i7LM6raASvP_-xw1IQu{N(tY@TqTu zr(NHYI%#cAux(=a;d1f7tlid&5>}d}ADcGbsiai#VT1P1ZwC82D$6h4GjalZ!x1BI z{R#H3DiYsUMQyB*mRgePUM)Lx()*y>X9WgsF5BAQGv$Qdn0b!5x1z^b`WZ!a3o_zK zsmxGP9=URpWq1Ej-_Sk@Y!&yhj`Ox%@jUoPiL;-^#i46rGTl-b)Xw+e{_3TN{ShFkXOOWiIi`DgUsY5$OOKh`MhivFaX6K@A8_P$l>w!nSPl#L!* zKZPC(lJ3oR>bA5*&1Q4nTIIBaX_t9@GA26&ehUHO^|HM)(x7lTo-v-;!O$pC8 zNWNT{Z7D5bH)}7?G3$K%75}wbJ3S%~UJX%eP-#AReaGgbtcNlojX4hrF=W zutpWVi0?aJs`i7|=?`A&uir{!m_AA^o7LiXtZ3{L@nEJNOCRe}0gkcc||FA9(g(JuZa?)22Kz76aFfug%b_$j>OPY0e5DVKF)YsRyw0uUYsdv;nSy2O-)T7KYsl1 z;eB0Q9d@j!si}GW`t_?@TT3U*J^baP%`CWqq=XX(^Sl#AY zP4XY3E$OiHGAr!nRHcn&ev8Ehu`@WHny0*3%bnc1C@<03n*2hIE4wPKWKUjY!ss=b z-Bh>_YxgIi7-TElYN{XwGw%b3* znq@)bBXg4kD-iV|YCS$!?q$*Z037{Sp^#`o@x<$UZFqS#cEcHZ4G;Md!_RlW6rf1vHVTg^b-i1)ULT6NW8MA= zRcv|}Lqe@$w~I=f*Y4|J;+gA#W9zUBIsWj3uPF+T(HqXw($f-t(6I~h3ikF7@*U3e zUE&|2&GYt|8;FzZdPzKfql4^vEyEqJb>{@zeQk`_Fd@isPw7Cbs}k7qM} z63-9^>Y3=98JdaY8R?qnV*4{g^Y8NXg?SU&-EDeIa2TvKFgMgSFde3AYOZU@KYB38 z$7`W~aL{nxI3J%79qT~`%c0JpuOODKa7KE9$tPvI&}75XmH?g-rqY4C{l-7w9Tng`~wED5tHMh zpf9IR84SnnOvc84XUZ`1z--}VHrM?B{F|aC#)1uJ>69sP7LP|)9xI!}VrgIqa&V>3 ze%M;@8tyTP;}eTz1)_XPG05*EiJ=VAtnQ$mAUfFUpCr;rx(S1@L=$zr9w1qe5~%Ng ziAXnL5Ej3?<0{rw$4-iq_Toow*2i1iy$ti;Ala-B_hgbEtP+<|R0XEO7aPQSI0SZ= z-_>+=%u$B%KFu)xXBo!x6vJSXxqpO67wPnYZo-huXt*ZMR!{>z7t{rIMUO3HnE7WI z#_0$)-^*i|;RhLJ*w3H?|2dgM59uV`^I(f3us9ojPX@L!`GC8pTq?<5&PN02veyRXA^|794 z>*hJ|i%AxAr!kDuCWetoWEkm{?Grm5I2#3g#7j6b3GMTe4k{xa(oGn%;RnL}f-gyZ zZR#(u5A~H#hHq9gOfO&<;PZUgB}&dYf-e$!N9K_%7&Gs_O+_@3jW}YZ<1ZuB|@Gv4ibYF1_jtKkoaWMLJ4U#^*=t5ys@) zw)n2VAGnTTq~aKc4L`AQ-x0ojj-Xr`ekB`-R|P$}qeNxIBL#fIaBHXjQ_v;@VH@$V zab=@Nc8I@UP`(tSFXf8hUIingqeNw-PYSjY#0AheLvLAwKc;!#L|GQ5o@Y zPk3)9A=8AXiYjh|OlwWu$s6X-cLp1CtQ5o@&Zo=?8+ZNvo zHfiog1Om3~cJS|DnACd=^Xany<9f9~d+94+fse|`_f0K=dpXpxutE?6i1+1t0YBwY z8S#^D!tg6;i|>s*&1~?1j|+ZT*vTilN8VTZQs#X|pr8H*Ul8zezTglRpG5SKPSQ;n z0TLj{+0?z2R%ie6%xS1m7Og@kJ-; zC5(BOk+=8z`0H~CZF2zmkmnO-7K;33i2NfEsEJyy%2--uE5t&vDjO+`{N!mpM2G4R z0{cqPLliSflyo&hS10RAtb(zdY>ZG>Ctuzg(fZ+)<@YN*J| zS1nDVsQkw`XSdj)lLTwp9xOYSl&8)HLOrtg`&CQ4Jb%^l<-au0cJKi8Nzr77wvmND zFINe2-(gM~i8i9Vul|PL$^Y|8+qTVIbp-ZTjFy>uvi|=!lVKnls)nH2z<^b~NYRFNZ zBGm_eRR_NzWdE9PwE8z;)1_55w=htT?r!)vaQFaH*8WzACiH8L`fcX=uLK@ zesq<`n3u!#GTL14Bho>-Nat|q4tc~dGZ1TJx4c>hY+Bum0l%m6FHGrljNJwB zLooa^7kr+eIh_#AH)e?ZxA0G|M6Ktpt|etFSy;71ecesAGi|~$4wWSRh@Vd3pL}CP zJ_~aHSN@6tSAxDLqOXN`AmR5!R`d-`tHfEui~+p>G5;o!49PyTL}YP54>v_bGeI;Z z8if&PiJmVcQ$!?TnH}XrhGYrTcn3zwYKAfY7sHIeJrS+16%qx+!M)MeZ)Nh3G1~sk zUQIkvT4Kf%O*1k2dqIv?y&9>aC0I{ml&hwHlh=Z*J!}?Do`^8~l_lhd09!PLAVR5$ z;On4n_Nb3&@;c5iM=(l`g0%27BAONy!zRoYRCgi+LW8PEDHmJLD4#V(J7d2c}(6%@Y7`2KH{c8UJ3XP_uykheKpw4%f&r- zRe(=VG~@#V$XFD^=cwaY*ys(}5wL^s`)ygS4BHuW*X%tD_rg+2|~GX%C+Tws`m z$;s*pU!KOGCFm0AYD3A0;-EJ90$!4_Y!wdv?T-}U9T4F=Sy8OwuPDCzm5dLAXZs#E z>DhkhBzm^T|9ubi}O>i0KLP5G!JzM}G9%xJ!#=&-&wP@}$~{tt{|S8xCT literal 0 HcmV?d00001 diff --git a/testing/btest/core/erspan.bro b/testing/btest/core/erspan.bro new file mode 100644 index 0000000000..eb05cdcf5a --- /dev/null +++ b/testing/btest/core/erspan.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -C -b -r $TRACES/erspan.trace %INPUT +# @TEST-EXEC: btest-diff tunnel.log + +@load base/frameworks/tunnels From d32e4b25f1d0cea8504dba55c7d321bc29cf18ef Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 3 Feb 2017 12:34:39 -0800 Subject: [PATCH 140/288] Small change to avoid potentially over reading memory. --- src/Sessions.cc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index ad82f1c736..4ca5235a2c 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -508,8 +508,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr uint16 flags_ver = ntohs(*((uint16*)(data + 0))); uint16 proto_typ = ntohs(*((uint16*)(data + 2))); int gre_version = flags_ver & 0x0007; + // If a carried packet has ethernet, this will help skip it. unsigned int eth_len = 0; + unsigned int gre_len = gre_header_len(flags_ver); + unsigned int ppp_len = gre_version == 1 ? 1 : 0; if ( gre_version != 0 && gre_version != 1 ) { @@ -520,11 +523,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version == 0 ) { - if ( proto_typ == 0x6558 ) + if ( proto_typ == 0x6558 && len > gre_len + 14 ) { // transparent ethernet bridging eth_len = 14; - proto_typ = ntohs(*((uint16*)(data + gre_header_len(flags_ver) + 12))); + proto_typ = ntohs(*((uint16*)(data + gre_len + 12))); } if ( proto_typ == 0x0800 ) @@ -567,9 +570,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr return; } - unsigned int gre_len = gre_header_len(flags_ver); - unsigned int ppp_len = gre_version == 1 ? 1 : 0; - if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len ) { Weird("truncated_GRE", ip_hdr, encapsulation); From 8863fd4242cc6d7e3ac4e1cc35dbc18eaf416168 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 3 Feb 2017 12:38:14 -0800 Subject: [PATCH 141/288] Updating submodule. --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 32e582514a..9d5c7bcac9 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d +Subproject commit 9d5c7bcac9b04710931bc8a42b545f0691561b2f From 647eb9703f1c27a1fa43baccd83d8b53ca273980 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 3 Feb 2017 14:10:11 -0800 Subject: [PATCH 142/288] Change snaplens of a few more tests. Recent pcap versions do not like the huge snaplens that the header in these files uses. --- .../btest/Traces/dnp3/dnp3_udp_en_spon.pcap | Bin 326 -> 326 bytes testing/btest/Traces/dnp3/dnp3_udp_read.pcap | Bin 5800 -> 5800 bytes .../Traces/dnp3/dnp3_udp_select_operate.pcap | Bin 1427 -> 1427 bytes testing/btest/Traces/dnp3/dnp3_udp_write.pcap | Bin 179 -> 179 bytes testing/btest/Traces/dns-huge-ttl.pcap | Bin 993 -> 993 bytes 5 files changed, 0 insertions(+), 0 deletions(-) diff --git a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap index 79881f62e734c6714ea1a20d36ce60e3cd7f3941..f9e6078f5175af93eda370017e1e3f036df13a81 100755 GIT binary patch delta 29 ecmX@cbc{*l%Hd55nHX3YVBr6M28N9yMvMT0c?XLC delta 29 bcmX@cbc{*l%Hd55nHX3YkO1RG5hF$bbBzU# diff --git a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap index 7bc9d4add2dd73d0eb883d0dd37cbc26e07b9791..f089d12f51e72b42cde927c00840df26f1f39a5b 100755 GIT binary patch delta 29 ecmZ3XyFypw%Hd55nHX3YVBr6M28N9yQ^Wv;)Ce2^ delta 29 bcmZ3XyFypw%Hd55nHX3YkO1RGktt#TcIXBl diff --git a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap index 384b5137d68d864024cf9b223cb9ae54bc0d1eec..70b0e2cde4da68f06974bc23c1d677c26694984f 100755 GIT binary patch delta 29 ecmbQtJ(*kN%Hd55nHX3YVBr6M28N9y^{fDS)dz?G delta 29 bcmbQtJ(*kN%Hd55nHX3YkO1RGk$P4DYUu@w diff --git a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap index a2dd31b3b721409e32b617bb2b43ef8609ec5ca3..dc9125f691acc43db7588f15e82f250dfefa234a 100755 GIT binary patch delta 28 dcmdnYxS3Jp%Hd55nHX3YVBr6M28M|u^8t3n2d@AC delta 28 acmdnYxS3Jp%Hd55nHX3YkO1REk@)~=)&;Tv diff --git a/testing/btest/Traces/dns-huge-ttl.pcap b/testing/btest/Traces/dns-huge-ttl.pcap index 27849b904b047d24923e3fa480b8c75e72f22f05..5e9afdaf96a0a052c16e14d3c85367e70b21ea94 100644 GIT binary patch delta 29 ecmaFJ{*Ybd%Hd55nHX3YVBr6M28N9yXPE(trwC{O delta 29 bcmaFJ{*Ybd%Hd55nHX3YkO1RGk+aMId%Ff} From 7beac6e40457a82c26b204545a32385bfaf63125 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 3 Feb 2017 16:41:32 -0800 Subject: [PATCH 143/288] Updating submodule(s). [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/plugins | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aux/binpac b/aux/binpac index a0990e61ad..0f1ecfa972 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3 +Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd diff --git a/aux/bro-aux b/aux/bro-aux index 7660b5f4c5..b1e75f6a21 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93 +Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3 diff --git a/aux/broccoli b/aux/broccoli index 765eab50f7..ed52e3414b 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67 +Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441 diff --git a/aux/broctl b/aux/broctl index f6d451520e..73dbc79ac2 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66 +Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5 diff --git a/aux/broker b/aux/broker index 68a36ed814..23def70c44 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da +Subproject commit 23def70c44128d19138029615dd154359286e111 diff --git a/aux/plugins b/aux/plugins index 0a2f021527..2322840bcd 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530 +Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb From 1de6cfc2e335ab965e65ea8955336e1afdcede90 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sat, 4 Feb 2017 16:47:07 -0800 Subject: [PATCH 144/288] Fix memory leak in file analyzer. This undoes the changes applied in merge 9db27a6d60dbc0bdc77cb64d4f770489455043cd and goes back to the state in the branch as of the merge 5ab3b86. Getting rid of the additional layer of removing analyzers and just keeping them in the set introduced subtle differences in behavior since a few calls were still passed along. Skipping all of these with SetSkip introduced yet other subtle behavioral differences. --- src/file_analysis/AnalyzerSet.cc | 5 +++-- src/file_analysis/File.cc | 8 ++++++++ src/file_analysis/File.h | 6 ++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index 5b7bdd875c..35968c9a02 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -129,11 +129,12 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key) file->GetID().c_str(), file_mgr->GetComponentName(tag).c_str()); + a->Done(); // We don't delete the analyzer object right here because the remove // operation may execute at a time when it can still be accessed. - // Instead we let disable it; it will be deleted together with the AnalyzerSet. - a->SetSkip(true); + // Instead we let the file know to delete the analyzer later. + file->DoneWithAnalyzer(a); return true; } diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index ff65eb0c32..46e67f7cd8 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -107,6 +107,9 @@ File::~File() DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str()); Unref(val); delete file_reassembler; + + for ( auto a : done_analyzers ) + delete a; } void File::UpdateLastActivityTime() @@ -494,6 +497,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) EndOfFile(); } +void File::DoneWithAnalyzer(Analyzer* analyzer) + { + done_analyzers.push_back(analyzer); + } + void File::DataIn(const u_char* data, uint64 len, uint64 offset) { analyzers.DrainModifications(); diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 6ad90e986b..c799907a8f 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -119,6 +119,11 @@ public: */ bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args); + /** + * Signal that this analyzer can be deleted once it's safe to do so. + */ + void DoneWithAnalyzer(Analyzer* analyzer); + /** * Pass in non-sequential data and deliver to attached analyzers. * @param data pointer to start of a chunk of file data. @@ -287,6 +292,7 @@ protected: bool postpone_timeout; /**< Whether postponing timeout is requested. */ bool done; /**< If this object is about to be deleted. */ AnalyzerSet analyzers; /**< A set of attached file analyzers. */ + std::list done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */ struct BOF_Buffer { BOF_Buffer() : full(false), size(0) {} From c857f5c4dd2195c80b8bb2f6f20db184e499da2e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 6 Feb 2017 23:30:54 -0600 Subject: [PATCH 145/288] BIT-1785: fix scripts able to access uninitialized variables. --- src/Frame.cc | 9 +++++++ src/Frame.h | 1 + src/Func.cc | 1 + .../language.uninitialized-local2/out | 2 ++ .../btest/language/uninitialized-local2.bro | 25 +++++++++++++++++++ 5 files changed, 38 insertions(+) create mode 100644 testing/btest/Baseline/language.uninitialized-local2/out create mode 100644 testing/btest/language/uninitialized-local2.bro diff --git a/src/Frame.cc b/src/Frame.cc index e97b948dbe..f30312aaec 100644 --- a/src/Frame.cc +++ b/src/Frame.cc @@ -33,6 +33,15 @@ Frame::~Frame() Release(); } +void Frame::Reset(int startIdx) + { + for ( int i = startIdx; i < size; ++i ) + { + Unref(frame[i]); + frame[i] = 0; + } + } + void Frame::Release() { for ( int i = 0; i < size; ++i ) diff --git a/src/Frame.h b/src/Frame.h index 85e1dbec2e..0c22fa0e4e 100644 --- a/src/Frame.h +++ b/src/Frame.h @@ -24,6 +24,7 @@ public: frame[n] = v; } + void Reset(int startIdx); void Release(); void Describe(ODesc* d) const; diff --git a/src/Func.cc b/src/Func.cc index ccb2570f70..88da9a7a04 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -397,6 +397,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const bodies[i].stmts->GetLocationInfo()); Unref(result); + f->Reset(args->length()); try { diff --git a/testing/btest/Baseline/language.uninitialized-local2/out b/testing/btest/Baseline/language.uninitialized-local2/out new file mode 100644 index 0000000000..75d09294e6 --- /dev/null +++ b/testing/btest/Baseline/language.uninitialized-local2/out @@ -0,0 +1,2 @@ +error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b) +var_a is, baz diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.bro new file mode 100644 index 0000000000..f11a5fda10 --- /dev/null +++ b/testing/btest/language/uninitialized-local2.bro @@ -0,0 +1,25 @@ +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +event test() + { + local var_a: string = "foo"; + } + +event test() + { + if ( F ) + { + local var_b: string = "bar"; + } + + local var_a: string = "baz"; + + print "var_a is", var_a; + print "var_b is", var_b; + } + +event bro_init() + { + event test(); + } From a51ee9e1555381e252ea4c26066c67ce93b3ad4b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 10:43:45 -0800 Subject: [PATCH 146/288] Pull signed_certificate_timestamp into a separate pac file. That allows us to use the same code to parse the signed certificate timestamp X.509 extension in the X.509 file analyzer. --- .../protocol/ssl/tls-handshake-protocol.pac | 19 +-------------- ...handshake-signed_certificate_timestamp.pac | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 65da41e0db..1f3d418717 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -491,24 +491,7 @@ type SSLExtension(rec: HandshakeRecord) = record { }; } &length=data_len+4 &exportsourcedata; -type SignedCertificateTimestampList(rec: HandshakeRecord) = record { - length: uint16; - SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); -} &length=length+2; - -type SignedCertificateTimestamp(rec: HandshakeRecord) = record { - # before - framing - length: uint16; - # from here: SignedCertificateTimestamp - version: uint8; - logid: bytestring &length=32; - timestamp: uint64; - extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them - extensions: bytestring &length=extensions_length; - digitally_signed_algorithms: SignatureAndHashAlgorithm; - digitally_signed_signature_length: uint16; - digitally_signed_signature: bytestring &length=digitally_signed_signature_length; -} &length=length+2; +%include tls-handshake-signed_certificate_timestamp.pac type ServerNameHostName() = record { length: uint16; diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac new file mode 100644 index 0000000000..ad9b9d5651 --- /dev/null +++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac @@ -0,0 +1,23 @@ +# We keep this extension separate, because it also can be included in X.509 certificates. +# If included there, it uses the exact same syntax and we just symlink it from the X.509 +# file analyzer tree. + +type SignedCertificateTimestampList(rec: HandshakeRecord) = record { + length: uint16; + SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); +} &length=length+2; + +type SignedCertificateTimestamp(rec: HandshakeRecord) = record { + # before - framing + length: uint16; + # from here: SignedCertificateTimestamp + version: uint8; + logid: bytestring &length=32; + timestamp: uint64; + extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them + extensions: bytestring &length=extensions_length; + digitally_signed_algorithms: SignatureAndHashAlgorithm; + digitally_signed_signature_length: uint16; + digitally_signed_signature: bytestring &length=digitally_signed_signature_length; +} &length=length+2; + From 5dd19f84a71ca37ebcaa9fbd3b4e6571c95fa329 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 13:31:21 -0800 Subject: [PATCH 147/288] Add parsing of signed certificate timestamps out of X.509 certs. This is a tiny bit evil because it uses parts of the SSL protocol analyzer in the X.509 certificate parser. Which is the fault of the protocol, which replicates the functionality. --- src/analyzer/protocol/ssl/CMakeLists.txt | 1 + .../protocol/ssl/tls-handshake-protocol.pac | 5 -- ...handshake-signed_certificate_timestamp.pac | 5 ++ .../analyzer/x509/CMakeLists.txt | 1 + src/file_analysis/analyzer/x509/X509.cc | 47 +++++++++++++++ src/file_analysis/analyzer/x509/X509.h | 1 + src/file_analysis/analyzer/x509/events.bif | 19 ++++++ .../analyzer/x509/x509-extension.pac | 54 ++++++++++++++++++ .../x509-signed_certificate_timestamp.pac | 1 + .../.stdout | 4 ++ .../Traces/tls/certificate-with-sct.pcap | Bin 0 -> 7584 bytes .../x509/signed_certificate_timestamp.test | 7 +++ 12 files changed, 140 insertions(+), 5 deletions(-) create mode 100644 src/file_analysis/analyzer/x509/x509-extension.pac create mode 120000 src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout create mode 100644 testing/btest/Traces/tls/certificate-with-sct.pcap create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 0f45aa1f32..14e41892c8 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz proc-client-hello.pac proc-server-hello.pac proc-certificate.pac + tls-handshake-signed_certificate_timestamp.pac ) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac proc-client-hello.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 1f3d418717..911ad96bd7 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -554,11 +554,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of { default -> other : bytestring &restofdata &transient; }; -type SignatureAndHashAlgorithm() = record { - HashAlgorithm: uint8; - SignatureAlgorithm: uint8; -} - type SignatureAlgorithm(rec: HandshakeRecord) = record { length: uint16; supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0); diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac index ad9b9d5651..f921db0790 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac @@ -2,6 +2,11 @@ # If included there, it uses the exact same syntax and we just symlink it from the X.509 # file analyzer tree. +type SignatureAndHashAlgorithm() = record { + HashAlgorithm: uint8; + SignatureAlgorithm: uint8; +} + type SignedCertificateTimestampList(rec: HandshakeRecord) = record { length: uint16; SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index aa663cfa6e..9a2d936c57 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -7,4 +7,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro X509) bro_plugin_cc(X509.cc Plugin.cc) bro_plugin_bif(events.bif types.bif functions.bif) +bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index da3c6635a8..e85bc5615d 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -4,6 +4,7 @@ #include "X509.h" #include "Event.h" +#include "x509-extension_pac.h" #include "events.bif.h" #include "types.bif.h" @@ -298,6 +299,52 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); + + else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + ParseSignedCertificateTimestamps(ex); + } + +void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) + { + // Ok, signed certificate timestamps are a bit of an odd case out; we don't + // want to use the (basically nonexistant) OpenSSL functionality to parse them. + // Instead we have our own, self-written binpac parser to parse just them, + // which we will initialize here and tear down immediately again. + + ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); + // the octet string of the extension contains the octet string which in turn + // contains the SCT. Obviously. + + unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); + unsigned char* ext_val_second_pointer = ext_val_copy; + memcpy(ext_val_copy, ext_val->data, ext_val->length); + + ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); + if ( !inner ) + { + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); + return; + } + + binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); + binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); + + try + { + interp->NewData(inner->data, inner->data + inner->length); + } + catch( const binpac::Exception& e ) + { + // throw a warning or sth + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); + } + + OPENSSL_free(ext_val_second_pointer); + + interp->FlowEOF(); + + delete interp; + delete conn; } void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c671c68a99..ca024ecf64 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -58,6 +58,7 @@ private: void ParseExtension(X509_EXTENSION* ex); void ParseBasicConstraints(X509_EXTENSION* ex); void ParseSAN(X509_EXTENSION* ex); + void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); std::string cert_data; diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index fcdeaa31d1..8b2e2aa525 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -55,3 +55,22 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## x509_parse x509_verify ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); + +## Generated for the signed_certificate_timestamp X509 extension as defined in +## :rfc:`6962`. The extension is used to transmit signed proofs that are +## used for Certificate Transparency. +## +## f: The file. +## +## version: the version of the protocol to which the SCT conforms. Always +## should be 0 (representing version 1) +## +## logid: 32 bit key id +## +## timestamp: the timestamp of the sct +## +## signature_and_hashalgorithm: signature and hash algorithm used for the +## digitally_signed struct +## +## signature: signature part of the digitally_signed struct +event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac new file mode 100644 index 0000000000..56ca27d909 --- /dev/null +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -0,0 +1,54 @@ +# Binpac analyzer for X.509 extensions +# we just use it for the SignedCertificateTimestamp at the moment + +%include binpac.pac +%include bro.pac + +%extern{ +#include "types.bif.h" +#include "file_analysis/File.h" +#include "events.bif.h" +%} + +analyzer X509Extension withcontext { + connection: MockConnection; + flow: SignedCertTimestampExt; +}; + +connection MockConnection(bro_analyzer: BroFileAnalyzer) { + upflow = SignedCertTimestampExt; + downflow = SignedCertTimestampExt; +}; + +%include x509-signed_certificate_timestamp.pac + +# The base record +type HandshakeRecord() = record { + signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient; +} &byteorder = bigendian; + +flow SignedCertTimestampExt { + flowunit = HandshakeRecord withcontext(connection, this); +}; + +refine connection MockConnection += { + + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool + %{ + BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), + bro_analyzer()->GetFile()->GetVal()->Ref(), + version, + new StringVal(logid.length(), reinterpret_cast(logid.begin())), + ((double)timestamp)/1000, + digitally_signed_algorithms->HashAlgorithm(), + digitally_signed_algorithms->SignatureAlgorithm(), + new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) + ); + + return true; + %} +}; + +refine typeattr SignedCertificateTimestamp += &let { + proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature); +}; diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac new file mode 120000 index 0000000000..88305ed8fd --- /dev/null +++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac @@ -0,0 +1 @@ +../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout new file mode 100644 index 0000000000..4b81b287a6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -0,0 +1,4 @@ +0, 1474927230.876, 4, 3 +0, 1474927232.863, 4, 3 +0, 1474927232.112, 4, 3 +0, 1474927232.304, 4, 3 diff --git a/testing/btest/Traces/tls/certificate-with-sct.pcap b/testing/btest/Traces/tls/certificate-with-sct.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0b6c1b166e608e97f24de3a487a37ff3abe69499 GIT binary patch literal 7584 zcmbVR30O?+`+m>NG^J(Q7cCmJNy}+pXw@R6P|+go%V?WwDk^EyLP?8CXps_92t~=X z5UE5vLW*b+LTUY^1NI0F06E=l~+I0|^oPWUB9J)X)K405o0gG=V05YM5GxcXt~;=l&`IstCHG{|G(# za?RY_kU0Pt9L+Tdi=}}eI(j{k*m(394zqyXDar`8Aaisq;4avhN8gAT0CITpb`%-4 z09Cw7Xzb$YMJ%-B?C>ED1uUTBFm&`g9Naijbi@)K^_x?S5ojZ*==j5L`8A@b-&(TE z{BA+eUx%@iuXCkQ=XL?KN50i|C6Zv4giX%FjayoMiruRQ0YNF z$OE|`8@PkLfCSut3Qz`0KoP`(7!VB(QDv!8RB@^Zm6=KdP6IWd0HUbU)b&(R>RKv0 zbp<#J&VU?{1zeHvY5;X02V{W^fI%iW0Wv^3a$|MCCZJ7~p-NKMQH7}lDh`|i8-X-P z16qKV%1WiBGEy;s2H>b{R64)~*Z~V*qB2pjfF8_Ykob5ZA>u@S1}uSrfl?kM5Bor8 z4~mqRGX*dJ92P(r3AvAu68A{Q15^e{+5VzE(bPl)@K zYtqZNt5?qEwDqny`o#g-ojG(lq2#{Xk+d>El?F&WkiR)3L%`3Fp&>yp7lC4{X8>%q zfQ<_9=imr@9vne)BxgP(EXvjX^7IpDTGr%AwD=FTe1n5CaW>&1D$i z6?m*U4$qF+WGurA^Pm%YcGg|qrX*J{;wCMk5y_K8adwgshsDriSoYPwj_LV2I}=S! zjfk6^eJLatlA}GvnW!%dui|EsQG``w6=h{)U^!(gWUBJp6c+l;thuQSC(J$%&B*wB zcEAzPn&16}XaF_>Vg|_X^q2?;0vG)TDq|Up@6Rcy6y?h?c6m+@e82hVFm1pAC-qZ9 zGx{QF+&=s4o$9EHR*xE~pAzbswVAzJgRMKWp3qO!$C@eQp3>}9e}C>ajnZZYl>uG? zCE3a9U_s}gzD>z)m0IsFO_SQ#$15-4=)JwInVL2oeXe?_=4MB2Up}QMwN1>pvY1S` zVxoWF#y`4>Ldc(nw-%Y(c6V*PCF)aS+PW`g1T(WPlN+kH1$PR*|vi zi@V6Ti`VGk3%wm&m)ZpLE1fRZ>XXl~mQ9YjrZ~03M@V$o2)M_D8hToZeeQun!E>ML z7CD!lcSTFmlfSwoxXSAKqVlR_x0hYu{mLJ-ae_J-vb=P(p4=0>5ARi&l9 z9sS5MQi0xnNLEQXdV5Mc+AB)?Ir|1U`^reWAZY|E{al5KUjJj2J;{FgBB>vXq|ilD zj?TWY8tR`QP7#)eWpm&hsc4BGs~vqk{FX15{IOheVY#md%#AK*#j(JIh^6Ugf*v5^ zHp6-_9Uku*&In;3SQXEJ1QQ2EoZJpU74L(9s4l|cSS(`$an?40REt7NML;slSu*bNcg32H*%=d(bG`-?$`u1*1Dz}!&Qw4 zf9!ILJa`I`ON2UL9Sl)@vtIZ&zDFEs2ibL3**-CA5{k^2+zj@33H8?77&PRnHF-$|3y$fh(jjI)7~U@PZ??PDt4$KT*qh~&#~f;V z*|#ea)CI={70x_dFdJk0%j{}DSIzz6PV7ReeU;-^Ge0@SXf}#7MDovlo~{&i;4{Jy z4Zd}|R0Ezh6Oc2rc71yDo3_69)tg64)eq!4sZJ<0f&k$5En`B^DWXa>{=-c%0i$W3 z?KZ9{Z90$XU5hGAOs47<%tj$HiCnEdtcxM~5-qB;PJB(AQ|x@Fl0s{7XVXc!kh|wa zV_i16e+#X>fmsdWb~V%3`gN)4KcjK>+#D5}MKX$@Ci)GH~DdUY7R-HWBVKJ!e_4dk9{%i!y)Mzcc^%JoA?=W&Tx%7quj* z4Z%c;okcCd5E)B^I+S|+2hzEgyU zCRVxO5_?qZC1tg#RpllVS9}6)`fbe({hbvN7DreS0xeIU^o)LT$%wMmP^UO0Tlg1+ z8Z=ON_-7Qj_Zq%WVK^*tIL}*BXlqz_O*Ea1;&{s#iTgoi-{Gwx*!|YyaV2{q^`_tC z)=G{D#+QbNkxCRqeaR{=vw;I#Y~_L!S(TNkqa)#?#reT6tGcW7jyB)*k(%ysvZuZ1 z%xTNjHB;1tjW#=GraQC~T#Yb$9);PEX0XBgl}y-sTY48i1JV4mylMLCw2p1+(zBIW zTfXo$tFB>+o0@5OckRg7^(moxxosrnR_Oq|{y3er=N^ z(Y#^33Y!dtX<5|%H|_f+bR=&tqLx3!&D)nm*-!L#Auh<`y!Oc>vZoBg3d#zo_Q|UJ zHvQks{@YKAfi+uOv=wyTS7aB_?G4siz?Pkb{f)D^vy|8Tw1 zh-K{#Ba;{Mr#_cGp0s%Q#v#jGZ+F?<1Z5$G(R7IrXBMW>>~y;JH>GSr$vv~N%!y}9 zZr|-t9M|G|XW0`yr*LPa|8Y)=*Y?5_4`23F`NY;fz2e*$e7w#jvC0^K@T6(H`^M&U zkqAL<_?E`~7mWKg1FWKxo)^saQhz{}M|!R0`NpZKZ?p$Olr^!tjFZtb;{i;heQO ztD^<~S$1Tk5G{gz7o`HxNf+1&7G0bpI?4BA@n3XO23GlbA|_h$$BBPRql~NUGIc}5 zalQ(e*Y>|k_wU-?>+*>3_*1E28J@^78^hNAZFWi>)?W}oO;{b?h-X@qK0H!xL;pYV zTUvNxBajfLS-nh4;&wY`BYjPlGYpGmc+X$v=kc^~GPS2iU4Fe(Sc=DFfom&YP=r=< z)||%Z)yTbB)3P%QI*3as z`=f}bT>iC-n3&g+8%woBNOn<6T=JG`$r&EuyykC$c0HUgh@57$ z(`uOY4IU16a>z`SDG3%2Oo- z-seW3HxiB9mW00-JTZAvWJH4CTJG^iBE!=*NUSz$BbI6WHMTdk#zJ&rYq+KKrx5!G zyKHVhKNZ&E^fDx7-=VjuN61HL^!x7z1H2v5QtgH#a5@XJLc6l&5d40F;&L@P@LNk` zU?hW<-SeFklPSgCm$J#*lW0V7l9E9SM&x$}_BE!?j{d&RL>-bViDK`uq=Q0RFOrw5 z48kqw$yj#cPmq7mA5?W&YxYeaT~S_msI&2Sx*?@2EA%7iC&U#Si0SaMoRDP}jx{~YRLaao z$Hjp45#>MF`|Qb#t6Lq74L!kz+}V|$Q)#M|nUwG)OVK4LbZ7N3+qYNTh>B<9g(M{O z87u=_;OkW{MiM7Zw^l&#+s|W!R}#r#V~4(r9lmBJl{qpVFwN=4HMGTJNQy17?a?e_ z{cZt< zy{oNAV`EbSWR>G%=e!ES<8ou~Zt!Wy+wmc?VkRf>OTYJk_A}2dCl1SRuH=5+A4a$4 z#%CF-22On_o4CKD9Pi|Wk?B0&v|}ntm$U+iKQ}*8hu1TtZV^~vts*va{$exuF16WE zF_5Ff-VWn=`%(U8~>e3>ri-rG`QOw_!cwVsnsz<*ImNCO9?^#Xjd~Q+<+#v6^sYR>! zGfZ04Nt6L7;ESu*k9R9(j%%mOa`|5Uo z$Tk!B(D!K%{J@}BR+Ryi#?2>!)9}Wk&Q$?C9HuM+pRx>`B{Q`!0FT7N1n0yHb0r8f-B!^oQHvZo*0XMf4@bdzli2V92B37F^FU}Pl%^qF66{b+zvYghij)G&ky)Hd|3+2D z6+1OmuYaj=W4!)-N7IMX6B*O{1}yXw`TZsUUu1E*-Mv4Fsa6s zjzRZ_S}pk%o}{cIJ4YOR_Gs$<2{yZ09dFez!_KPJ7dV2P9`-10(zTYA(*4+NDd^7g zG333u;!1nl>jyq1+>Y({H_Ye}z1$zABW@qHizb3q@PdNH7?Dt7IXY?X>&qn4a?;eG zs98zM*?#WZFyG*}PX(=yuLoBtd|6XnnE>5(+Y`woJ>2oskx}%qnR7^e)63OEvsrZ zyOHdQa?g{^=l61Hgbw0AA$x+*Rz?6BU;(!lu0ZvrbK7P4SxXG@qtC2In#l8;?^hpq zX7ak8z9)sDtRS8@NlSG`?R?htoLk1141C-D?KlSg+U+%^V6%JURcT1U3#?YQVN%`8 zqE^xC%{)`CXXLfZ)5KQYzJ2ayIm?OeE$;pzn4)s=_~BFRA2*%d5Xdk&WnJC-&DZ&Q zBV0$-afzKyjUB>MdLg>aPkIZ4WhScg za=Pp#g}MbaSTu6ided?T;f8DcSg*Yw9*Xym2{PEvD%hKQ;a#_8-!os1M6V0s88*Ei z6+Xj{vUgt1ekRnjL%GPG!{d(dlyD1ucqbt}wWaLqc_vcU^$j<;$0JRYEkC=}PzXs) zms(Al4@{q~sT#IUcQoANa&+>(_gwgh-xcdK_xLYf*{>)eH<1~B{9=e~O3E0zVT&Um zTdwG{+=)EP=&J;D{8<+!o1t~#W89y0p`;m77v6B8`&kzjFV=;O!Hj^4fT3dsBl^nFma zNM=dD@!mMe5B`oLzWrhLM}r(atjQ<1UPG2nuYHBnI-W^ot8NozOr6rRXE9vs%7I+> z{2nt9gF!|9#oVW?jl1I9Ze-EYZu`)HZS_8$b<%t@6aPVQ=V80c%d zK~H~=(8}`Bxh>I}-|GnDqnBHQbX9y9r_Y3h3mn!Bq|vR|cSzXw=tHI|Zta!?)+%wE zQ%9SOgVlUW&SJ6z%Uh$G{gh%=LU=kYBtipfGx^{UqM~(_D%es?|T~a%dtQ&Wd z{h1?GNR9|>LlB+T(F1!V;n49%)|sxELJ>99{)&iXT|wz0Vmv?*Igz`>`y)x%?%%Z} zt;1x0ojB)T+vl62Q{RUgTrWZYFAokKJ8IBcZ<)bc^OwNN0_^IS8blHAZuy0{EYXk_ zjf`9Z@}kFPX`)H(L=x>*7%SA_C9r^qxc^B{Bp#rM?1sM(mjwkud>n!LnAGtXA9sbZ oGSAr#{q&IzMMV)ye?$C>kJIx$?q25OF2u(Q^ktM6|56|S51>yUasU7T literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test new file mode 100644 index 0000000000..63be26448f --- /dev/null +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) + { + print version, timestamp, hash_algorithm, signature_algorithm; + } From 2d64b4539466e1c52d4cc303712a02dbae03388a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 16:05:47 -0800 Subject: [PATCH 148/288] X509: make SCT parsing work with older OpenSSL versions --- src/file_analysis/analyzer/x509/X509.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index e85bc5615d..1189e55eaa 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -300,7 +300,11 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); +#ifdef NID_ct_cert_scts else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) +#else + else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) +#endif ParseSignedCertificateTimestamps(ex); } From 209a560cc68cc197546c2449651de99a21eddd1e Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Thu, 9 Feb 2017 19:36:05 +0100 Subject: [PATCH 149/288] Fixed intel expiration reset. Reinserting the same indicator did not reset the expiration timer for the indicator in the underlying data store. Addresses BIT-1790 --- scripts/base/frameworks/intel/main.bro | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index aa51af5ee0..30f9a6bf75 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -407,7 +407,11 @@ function insert(item: Item) if ( host !in data_store$host_data ) data_store$host_data[host] = table(); else + { is_new = F; + # Reset expiration timer. + data_store$host_data[host] = data_store$host_data[host]; + } meta_tbl = data_store$host_data[host]; } @@ -422,7 +426,11 @@ function insert(item: Item) if ( !check_subnet(net, data_store$subnet_data) ) data_store$subnet_data[net] = table(); else + { is_new = F; + # Reset expiration timer. + data_store$subnet_data[net] = data_store$subnet_data[net]; + } meta_tbl = data_store$subnet_data[net]; } @@ -436,7 +444,12 @@ function insert(item: Item) if ( [lower_indicator, item$indicator_type] !in data_store$string_data ) data_store$string_data[lower_indicator, item$indicator_type] = table(); else + { is_new = F; + # Reset expiration timer. + data_store$string_data[lower_indicator, item$indicator_type] = + data_store$string_data[lower_indicator, item$indicator_type]; + } meta_tbl = data_store$string_data[lower_indicator, item$indicator_type]; } From c6b16ad2ca9b3c1b7f561a711d8a62156f708884 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Thu, 9 Feb 2017 19:40:25 +0100 Subject: [PATCH 150/288] Updated expiration test case to cover reinsertion. Addresses BIT-1790 --- .../output | 25 +++++++++++++------ .../base/frameworks/intel/expire-item.bro | 19 +++++++++++++- 2 files changed, 36 insertions(+), 8 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output index dfa922f88f..a01d119b81 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output @@ -3,20 +3,31 @@ #empty_field (empty) #unset_field - #path intel -#open 2016-06-15-19-11-06 +#open 2017-02-09-18-29-44 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -1466017866.348490 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - -1466017867.349583 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - -1466017868.349656 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - -#close 2016-06-15-19-11-12 +1486664984.510411 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - +1486664987.510937 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - +1486664990.511265 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1,source2 - - - +1486664993.512024 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1,source2 - - - +1486664996.512265 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1,source2 - - - +#close 2017-02-09-18-30-03 +-- Run 1 -- Trigger: 1.2.3.4 Seen: 1.2.3.4 +-- Run 2 -- +Trigger: 1.2.3.4 +Reinsert: 1.2.3.4 +Seen: 1.2.3.4 +-- Run 3 -- Trigger: 1.2.3.4 Seen: 1.2.3.4 +-- Run 4 -- +Trigger: 1.2.3.4 +Seen: 1.2.3.4 +-- Run 5 -- Trigger: 1.2.3.4 Seen: 1.2.3.4 Expired: 1.2.3.4 -Trigger: 1.2.3.4 -Trigger: 1.2.3.4 +-- Run 6 -- Trigger: 1.2.3.4 diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro index df9170b669..dd915b3a03 100644 --- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro +++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro @@ -20,11 +20,28 @@ redef table_expire_interval = 3sec; global runs = 0; event do_it() { + ++runs; + print fmt("-- Run %s --", runs); + print "Trigger: 1.2.3.4"; Intel::seen([$host=1.2.3.4, $where=SOMEWHERE]); - ++runs; + if ( runs == 2 ) + { + # Reinserting the indicator should reset the expiration + print "Reinsert: 1.2.3.4"; + local item = [ + $indicator="1.2.3.4", + $indicator_type=Intel::ADDR, + $meta=[ + $source="source2", + $desc="this host is still bad", + $url="http://some-data-distributor.com/2"] + ]; + Intel::insert(item); + } + if ( runs < 6 ) schedule 3sec { do_it() }; } From c670613996435d7e833eec724a77c91a8b3f0969 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 8 Feb 2017 10:57:30 -0800 Subject: [PATCH 151/288] Make OCSP analyzer part of the X.509 analyzer This allows the easier integration of shared functionality. And it also makes logical sense, given that OCSP is not interesting without X.509. --- scripts/base/files/ocsp/README | 1 - scripts/base/files/ocsp/__load__.bro | 1 - scripts/base/files/x509/README | 1 + .../files/{ocsp/main.bro => x509/ocsp.bro} | 2 ++ scripts/base/init-default.bro | 1 - .../policy/protocols/ssl/validate-ocsp.bro | 2 +- src/file_analysis/analyzer/CMakeLists.txt | 1 - .../analyzer/ocsp/CMakeLists.txt | 10 -------- src/file_analysis/analyzer/ocsp/Plugin.cc | 25 ------------------- .../analyzer/x509/CMakeLists.txt | 4 +-- .../analyzer/{ocsp => x509}/OCSP.cc | 4 +-- .../analyzer/{ocsp => x509}/OCSP.h | 0 src/file_analysis/analyzer/x509/Plugin.cc | 4 ++- .../{ocsp/events.bif => x509/ocsp_events.bif} | 0 .../functions.bif => x509/ocsp_functions.bif} | 4 +-- .../{ocsp/types.bif => x509/ocsp_types.bif} | 0 16 files changed, 13 insertions(+), 47 deletions(-) delete mode 100644 scripts/base/files/ocsp/README delete mode 100644 scripts/base/files/ocsp/__load__.bro rename scripts/base/files/{ocsp/main.bro => x509/ocsp.bro} (99%) delete mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt delete mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.cc (99%) rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.h (100%) rename src/file_analysis/analyzer/{ocsp/events.bif => x509/ocsp_events.bif} (100%) rename src/file_analysis/analyzer/{ocsp/functions.bif => x509/ocsp_functions.bif} (95%) rename src/file_analysis/analyzer/{ocsp/types.bif => x509/ocsp_types.bif} (100%) diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README deleted file mode 100644 index beabe8a3fc..0000000000 --- a/scripts/base/files/ocsp/README +++ /dev/null @@ -1 +0,0 @@ -Support for ocsp file analysis framework. diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro deleted file mode 100644 index d551be57d3..0000000000 --- a/scripts/base/files/ocsp/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./main \ No newline at end of file diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README index 8b50366cd2..b523eb4fc4 100644 --- a/scripts/base/files/x509/README +++ b/scripts/base/files/x509/README @@ -1 +1,2 @@ Support for X509 certificates with the file analysis framework. +Also supposrts OCSP requests and responses. diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/x509/ocsp.bro similarity index 99% rename from scripts/base/files/ocsp/main.bro rename to scripts/base/files/x509/ocsp.bro index 3474e3a797..4a4836eee5 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -2,6 +2,8 @@ @load base/utils/paths @load base/utils/queue +# Note - this needs some cleaning up and is currently not loaded by default. + module OCSP; export { diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 82379ec31c..65b41305c7 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -77,7 +77,6 @@ @load base/files/extract @load base/files/unified2 @load base/files/x509 -@load base/files/ocsp @load base/misc/find-checksum-offloading @load base/misc/find-filtered-trace diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 6667d9fbae..8f0da3ef2f 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,4 +1,4 @@ -##! Perform OCSP response validation. +##! Perform validation of stapled OCSP responses. @load base/frameworks/notice @load base/protocols/ssl diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index 9296f4e6de..ef17247997 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -5,4 +5,3 @@ add_subdirectory(hash) add_subdirectory(pe) add_subdirectory(unified2) add_subdirectory(x509) -add_subdirectory(ocsp) \ No newline at end of file diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt deleted file mode 100644 index 12c54c1c84..0000000000 --- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt +++ /dev/null @@ -1,10 +0,0 @@ - -include(BroPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_BINARY_DIR}) - -bro_plugin_begin(Bro OCSP) -bro_plugin_cc(OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif) -bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc deleted file mode 100644 index f7edbd1d6d..0000000000 --- a/src/file_analysis/analyzer/ocsp/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file in the main distribution directory for copyright. - - -#include "plugin/Plugin.h" - -#include "OCSP.h" - -namespace plugin { -namespace Bro_OCSP { - -class Plugin : public plugin::Plugin { -public: - plugin::Configuration Configure() - { - AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); - - plugin::Configuration config; - config.name = "Bro::OCSP"; - config.description = "OCSP analyzer"; - return config; - } -} plugin; - -} -} diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index aa663cfa6e..e95b4ae6e6 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro X509) -bro_plugin_cc(X509.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif) +bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) +bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc similarity index 99% rename from src/file_analysis/analyzer/ocsp/OCSP.cc rename to src/file_analysis/analyzer/x509/OCSP.cc index d54f1f345b..926f30cf37 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -5,8 +5,8 @@ #include "OCSP.h" #include "Event.h" -#include "events.bif.h" -#include "types.bif.h" +#include "ocsp_events.bif.h" +#include "ocsp_types.bif.h" #include "file_analysis/Manager.h" diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h similarity index 100% rename from src/file_analysis/analyzer/ocsp/OCSP.h rename to src/file_analysis/analyzer/x509/OCSP.h diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc index d9d1b71ab4..5a0b67136a 100644 --- a/src/file_analysis/analyzer/x509/Plugin.cc +++ b/src/file_analysis/analyzer/x509/Plugin.cc @@ -4,6 +4,7 @@ #include "plugin/Plugin.h" #include "X509.h" +#include "OCSP.h" namespace plugin { namespace Bro_X509 { @@ -13,10 +14,11 @@ public: plugin::Configuration Configure() { AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); + AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); plugin::Configuration config; config.name = "Bro::X509"; - config.description = "X509 analyzer"; + config.description = "X509 and OCSP analyzer"; return config; } } plugin; diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif similarity index 100% rename from src/file_analysis/analyzer/ocsp/events.bif rename to src/file_analysis/analyzer/x509/ocsp_events.bif diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif similarity index 95% rename from src/file_analysis/analyzer/ocsp/functions.bif rename to src/file_analysis/analyzer/x509/ocsp_functions.bif index 164b4a63ec..a5f31f9411 100644 --- a/src/file_analysis/analyzer/ocsp/functions.bif +++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif @@ -1,6 +1,6 @@ %%{ -#include "file_analysis/analyzer/ocsp/OCSP.h" -#include "types.bif.h" +#include "file_analysis/analyzer/x509/OCSP.h" +#include "ocsp_types.bif.h" %%} ## Parses a OCSP response into an OCSP::Response structure. diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif similarity index 100% rename from src/file_analysis/analyzer/ocsp/types.bif rename to src/file_analysis/analyzer/x509/ocsp_types.bif From b021fe75623a55148c8aab94d7f4c43693bf3350 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 8 Feb 2017 16:24:52 -0800 Subject: [PATCH 152/288] Rewrite of big parts of the OCSP analyzer. Less redundancy, style closer to the X.509 analyzer, times being parsed as real times, and lots of other changes. --- scripts/base/files/x509/__load__.bro | 1 + scripts/base/files/x509/ocsp.bro | 7 +- scripts/base/init-bare.bro | 29 +- src/file_analysis/analyzer/x509/Asn1Time.h | 157 +++++ src/file_analysis/analyzer/x509/OCSP.cc | 596 +++++------------- src/file_analysis/analyzer/x509/OCSP.h | 4 +- src/file_analysis/analyzer/x509/X509.cc | 164 +---- src/file_analysis/analyzer/x509/X509.h | 1 - .../ocsp.log | 8 +- .../ocsp.log | 8 +- .../ocsp.log | 8 +- .../ocsp.log | 8 +- .../ocsp.log | 14 +- 13 files changed, 376 insertions(+), 629 deletions(-) create mode 100644 src/file_analysis/analyzer/x509/Asn1Time.h diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro index a10fe855df..15c5754b1f 100644 --- a/scripts/base/files/x509/__load__.bro +++ b/scripts/base/files/x509/__load__.bro @@ -1 +1,2 @@ @load ./main +@load ./ocsp diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro index 4a4836eee5..f417cd6113 100644 --- a/scripts/base/files/x509/ocsp.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -1,3 +1,4 @@ +@load base/protocols/http @load base/frameworks/files @load base/utils/paths @load base/utils/queue @@ -68,7 +69,7 @@ export { ## responderID responderID: string &log &optional; ## producedAt - producedAt: string &log &optional; + producedAt: time &log &optional; ## certificates certs: vector of opaque of x509 &optional; @@ -85,9 +86,9 @@ export { ## certStatus (this is the response to look at) certStatus: string &log &optional; ## thisUpdate - thisUpdate: string &log &optional; + thisUpdate: time &log &optional; ## nextUpdate - nextUpdate: string &log &optional; + nextUpdate: time &log &optional; }; type Info: record { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e73e1ec849..d31bf8f0b6 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3651,49 +3651,52 @@ export { issuerNameHash: string &log; issuerKeyHash: string &log; serialNumber: string &log; - #RequestExtensions: xxx }; + type Request: record { version: count &log &optional; requestorName: string &log &optional; requestList: vector of OneReq; - #requestExtensions: xxx - }; + }; + type SingleResp: record { hashAlgorithm: string &log; issuerNameHash: string &log; issuerKeyHash: string &log; serialNumber: string &log; certStatus: string &log; - thisUpdate: string &log; - nextUpdate: string &log &optional; - #Extensions: xxx + revoketime: time &log &optional; + revokereason: string &log &optional; + thisUpdate: time &log; + nextUpdate: time &log &optional; }; + type Response: record { responseStatus: string &log; - responseType: string &log; - version: count &log; - responderID: string &log; - producedAt: string &log; + responseType: string &log &optional; + version: count &log &optional; + responderID: string &log &optional; + producedAt: time &log &optional; responses: vector of SingleResp; - #responseExtensions:xxx signatureAlgorithm: string &log &optional; - signature: string &optional; #&log; + #signature: string &optional; #&log; certs: vector of opaque of x509 &optional; }; + type CertId: record { hashAlgorithm: string &log &optional; issuerNameHash: string &log &optional; issuerKeyHash: string &log &optional; serialNumber: string &log &optional; }; + } module GLOBAL; type ocsp_req_vec: vector of OCSP::OneReq; type ocsp_resp_vec: vector of OCSP::SingleResp; - + module SOCKS; export { ## This record is for a SOCKS client or server to provide either a diff --git a/src/file_analysis/analyzer/x509/Asn1Time.h b/src/file_analysis/analyzer/x509/Asn1Time.h new file mode 100644 index 0000000000..31013ec2a7 --- /dev/null +++ b/src/file_analysis/analyzer/x509/Asn1Time.h @@ -0,0 +1,157 @@ +static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) + { + const char *fid = arg_fid ? arg_fid : ""; + time_t lResult = 0; + + char lBuffer[26]; + char* pBuffer = lBuffer; + + const char *pString = (const char *) atime->data; + unsigned int remaining = atime->length; + + if ( atime->type == V_ASN1_UTCTIME ) + { + if ( remaining < 11 || remaining > 17 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); + return 0; + } + + if ( pString[remaining-1] != 'Z' ) + { + // not valid according to RFC 2459 4.1.2.5.1 + reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); + return 0; + } + + // year is first two digits in YY format. Buffer expects YYYY format. + if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 + { + *(pBuffer++) = '2'; + *(pBuffer++) = '0'; + } + else + { + *(pBuffer++) = '1'; + *(pBuffer++) = '9'; + } + + memcpy(pBuffer, pString, 10); + pBuffer += 10; + pString += 10; + remaining -= 10; + } + else if ( atime->type == V_ASN1_GENERALIZEDTIME ) + { + // generalized time. We apparently ignore the YYYYMMDDHH case + // for now and assume we always have minutes and seconds. + // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 + + if ( remaining < 12 || remaining > 23 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); + return 0; + } + + memcpy(pBuffer, pString, 12); + pBuffer += 12; + pString += 12; + remaining -= 12; + } + else + { + reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); + return 0; + } + + if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) + { + *(pBuffer++) = '0'; + *(pBuffer++) = '0'; + } + + else if ( remaining >= 2 ) + { + *(pBuffer++) = *(pString++); + *(pBuffer++) = *(pString++); + + remaining -= 2; + + // Skip any fractional seconds... + if ( (remaining > 0) && (*pString == '.') ) + { + pString++; + remaining--; + + while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) + { + pString++; + remaining--; + } + } + } + + else + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); + return 0; + } + + *(pBuffer++) = 'Z'; + *(pBuffer++) = '\0'; + + time_t lSecondsFromUTC; + + if ( remaining == 0 || *pString == 'Z' ) + lSecondsFromUTC = 0; + else + { + if ( remaining < 5 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); + return 0; + } + + if ((*pString != '+') && (*pString != '-')) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); + return 0; + } + + lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; + lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); + + if (*pString == '-') + lSecondsFromUTC = -lSecondsFromUTC; + } + + tm lTime; + lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); + lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); + lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); + lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); + lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; + lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); + + if ( lTime.tm_year > 1900) + lTime.tm_year -= 1900; + + lTime.tm_wday = 0; + lTime.tm_yday = 0; + lTime.tm_isdst = 0; // No DST adjustment requested + + lResult = mktime(&lTime); + + if ( lResult ) + { + if ( lTime.tm_isdst != 0 ) + lResult -= 3600; // mktime may adjust for DST (OS dependent) + + lResult += lSecondsFromUTC; + } + + else + lResult = 0; + + return lResult; +} diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 926f30cf37..c7747f54ce 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -15,6 +15,9 @@ #include #include +#include "file_analysis/analyzer/x509/X509.h" +#include "Asn1Time.h" + // helper function of sk_X509_value to avoid namespace problem // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) // X509 => file_analysis::X509 @@ -23,8 +26,6 @@ X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) return sk_X509_value(certs, i); } -#include "file_analysis/analyzer/x509/X509.h" - using namespace file_analysis; IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); @@ -32,213 +33,59 @@ IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL); #define OCSP_STRING_BUF_SIZE 2048 -//this function is copied from src/file_analysis/analyzer/extract/Extract.cc -static Val* get_extract_field_val(RecordVal* args, const char* name) +static Val* get_ocsp_type(RecordVal* args, const char* name) { Val* rval = args->Lookup(name); + if ( ! rval ) reporter->Error("File extraction analyzer missing arg field: %s", name); + return rval; } -//convert different ANS1 type to c string -static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type) +static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio) { - if (data == NULL || buf == NULL || buf_len <=0) - return -1; - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - memset(buf, 0, buf_len); - - if (type == V_ASN1_OCTET_STRING) - { - if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_OCTET_STRING) <= 0) - goto err; - } - else if (type == V_ASN1_BIT_STRING) - { - if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_BIT_STRING) <= 0) - goto err; - } - else if (type == V_ASN1_INTEGER) - { - // NOTE: this will print the hex number - // wireshark may display decimal number - if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) - goto err; - } - else if (type == V_ASN1_OBJECT) - { - if (i2a_ASN1_OBJECT(bio, (ASN1_OBJECT *)data) <= 0) - goto err; - } - else if (type == V_ASN1_GENERALIZEDTIME) - { - // TODO: convert ASN1_GENERALIZEDTIME to epoch time? - // new API: ASN1_TIME_diff() requires openssl 1.0.2 - // epoch time might be better for post processing - - // NOTE: this is for human readable time format - //if (!ASN1_GENERALIZEDTIME_print(bio, (ASN1_GENERALIZEDTIME *)data)) - // goto err; - - // NOTE: this is printing the raw string which is also understandable - // since this is smaller, let's keep ASN1_GENERALIZEDTIME as this for now? - ASN1_GENERALIZEDTIME *tmp = (ASN1_GENERALIZEDTIME *)data; - BIO_write(bio, tmp->data, tmp->length); - } - - else - goto err; - - new_len = BIO_read(bio, buf, buf_len); -err: - BIO_free_all(bio); - return new_len; - } - -//ANS1 OCTET string to c string -static int ASN1_OCTET_STRING_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_OCTET_STRING); - } - -//ANS1 BIT string to c string -static int ASN1_BIT_STRING_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_BIT_STRING); - } - -//ANS1 integer to c string -static int ASN1_INTEGER_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_INTEGER); - } - -//ANS1 object to c string -static int ASN1_OBJECT_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_OBJECT); - } - -//ASN1_GENERALIZEDTIME to c string -static int ASN1_GENERALIZEDTIME_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_GENERALIZEDTIME); - } - -//CENERAL XXX to c string -static int GENERAL_NAME_to_cstr(char *buf, int buf_len, void *data) - { - if (data == NULL || buf == NULL || buf_len <= 0) - return -1; - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - memset(buf, 0, buf_len); - if (GENERAL_NAME_print(bio, (GENERAL_NAME *)data) <= 0) - goto err; - new_len = BIO_read(bio, buf, buf_len); -err: - BIO_free_all(bio); - return new_len; - } - -//OCSP respond id to c string -static int OCSP_RESPID_to_cstr(char *buf, int buf_len, OCSP_RESPID *resp_id) - { - if (resp_id == NULL || buf == NULL || buf_len <= 0) - return -1; - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - memset(buf, 0, buf_len); if (resp_id->type == V_OCSP_RESPID_NAME) - { - if (X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE) <=0) - goto err; - } + X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE); else if (resp_id->type == V_OCSP_RESPID_KEY) - { - if (i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING) <= 0) - goto err; - } - else - goto err; - new_len = BIO_read(bio, buf, buf_len); -err: - BIO_free_all(bio); - return new_len; + i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING); } -//print out a cert id for debug -static void ocsp_print_cert_id(OCSP_CERTID *cid) +static RecordVal* ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordType* type, BIO* bio) { - if (cid == NULL) - return; + RecordVal *d = new RecordVal(type); char buf[OCSP_STRING_BUF_SIZE]; - int len = sizeof(buf); - memset(buf, 0, len); - int new_len = -1; - - //print hashAlgorithm - new_len = ASN1_OBJECT_to_cstr(buf, len, (void *)(cid->hashAlgorithm->algorithm)); - StringVal hashAlgorithm = StringVal(new_len, buf); - printf("[%d]hashAlgorithm: %s\n", new_len, hashAlgorithm.CheckString()); + memset(buf, 0, sizeof(buf)); - //print issuerNameHash - new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerNameHash)); - StringVal issuerNameHash = StringVal(new_len, buf); - printf("[%d]issuerNameHash: %s\n", new_len, issuerNameHash.CheckString()); + i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm); + int len = BIO_read(bio, buf, sizeof(buf)); + d->Assign(0, new StringVal(len, buf)); + BIO_reset(bio); - //print issuerKeyHash - new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); - StringVal issuerKeyHash = StringVal(new_len, buf); - printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); + i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING); + len = BIO_read(bio, buf, sizeof(buf)); + d->Assign(1, new StringVal(len, buf)); + BIO_reset(bio); - //print serialNumber - new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber)); - StringVal serialNumber = StringVal(new_len, buf); - printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); - } + i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING); + len = BIO_read(bio, buf, sizeof(buf)); + d->Assign(2, new StringVal(len, buf)); + BIO_reset(bio); -//fill in cert id -static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d) - { - if (d == NULL || cert_id == NULL) - return; - char buf[OCSP_STRING_BUF_SIZE]; - int buf_len = sizeof(buf); - memset(buf, 0, buf_len); + i2a_ASN1_INTEGER(bio, cert_id->serialNumber); + d->Assign(3, new StringVal(len, buf)); + BIO_reset(bio); - //hashAlgorithm - int len = -1; - len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(cert_id->hashAlgorithm->algorithm)); - if (len > 0) - d->Assign(0, new StringVal(len, buf)); - - //issuerNameHash - len = -1; - len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerNameHash)); - if (len > 0) - d->Assign(1, new StringVal(len, buf)); - - //issuerKeyHash - len = -1; - len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); - if (len > 0) - d->Assign(2, new StringVal(len, buf)); - - //serialNumber - len = -1; - len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber)); - if (len > 0) - d->Assign(3, new StringVal(len, buf)); + return d; } file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) { - Val* ocsp_type = get_extract_field_val(args, "ocsp_type"); - if (! ocsp_type ) + Val* ocsp_type = get_ocsp_type(args, "ocsp_type"); + + if (! ocsp_type ) return 0; + return new OCSP(args, file, ocsp_type->AsString()->CheckString()); } @@ -260,328 +107,223 @@ bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len) return false; } -// parse OCSP request or response and send data to bro scriptland +// we parse the entire OCSP response in EOF, because we just pass it on +// to OpenSSL. bool file_analysis::OCSP::EndOfFile() { - OCSP_REQUEST *req = NULL; - OCSP_RESPONSE *resp = NULL; - const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); - + if (ocsp_type == "request") { - req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); + OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); + if (!req) { reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); - goto ocsp_cleanup; - } - - //parse request into record - OCSP_REQVal* req_val = new OCSP_REQVal(req); - RecordVal* req_record = ParseRequest(req_val); - if (!req_record) - { - reporter->Weird(fmt("Internal fail to parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); - Unref(req_val); - goto ocsp_cleanup; + return false; } + OCSP_REQVal* req_val = new OCSP_REQVal(req); // req_val takes ownership + + RecordVal* req_record = ParseRequest(req_val, GetFile()->GetID().c_str()); + // and send the record on to scriptland val_list* vl = new val_list(); vl->append(GetFile()->GetVal()->Ref()); - vl->append(req_val->Ref()); - vl->append(req_record->Ref()); - mgr.QueueEvent(ocsp_request, vl); - - Unref(req_val); - Unref(req_record); + vl->append(req_val); + vl->append(req_record); + mgr.QueueEvent(ocsp_request, vl); } else if (ocsp_type == "response") { - resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); + OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); if (!resp) { reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); - goto ocsp_cleanup; - } - - //parse request into record - OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); - RecordVal* resp_record = ParseResponse(resp_val); - if (!resp_record) - { - reporter->Weird(fmt("Internal fail to parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); - Unref(resp_val); - goto ocsp_cleanup; + return false; } + OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership + RecordVal* resp_record = ParseResponse(resp_val, GetFile()->GetID().c_str()); + // and send the record on to scriptland val_list* vl = new val_list(); vl->append(GetFile()->GetVal()->Ref()); - vl->append(resp_val->Ref()); - vl->append(resp_record->Ref()); + vl->append(resp_val); + vl->append(resp_record); mgr.QueueEvent(ocsp_response, vl); - - Unref(resp_val); - Unref(resp_record); } else + { reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str())); -ocsp_cleanup: - //if (resp) - // OCSP_RESPONSE_free(resp); - //if (req) - // OCSP_REQUEST_free(req); - return false; + return false; + } + + return true; } -// parse OCSP request and trigger event -RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) +RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val, const char* fid) { - if (req_val == NULL) - return NULL; - OCSP_REQUEST *req = NULL; - OCSP_ONEREQ *one_req = NULL; - OCSP_CERTID *cert_id = NULL; - OCSP_REQINFO *inf = NULL; - //OCSP_SIGNATURE *sig = NULL; + OCSP_REQUEST *req = req_val->GetReq(); + OCSP_REQINFO *inf = req->tbsRequest; - RecordVal* ocsp_req_record = NULL; - VectorVal* all_req_bro = NULL; - - int req_count = -1, i = -1, len = -1; - long version = -1; + char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions + memset(buf, 0, sizeof(buf)); - req = req_val->GetReq(); - if (req == NULL) - return NULL; - - char buf[OCSP_STRING_BUF_SIZE]; - int buf_len = sizeof(buf); - memset(buf, 0, buf_len); - - inf = req->tbsRequest; - //sig = req->optionalSignature; - if (inf == NULL) - return NULL; + RecordVal* ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); - ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); - if (!ocsp_req_record) - { - reporter->Error("Cannot create OCSP request structure: Internal memory error"); - return NULL; - } + ocsp_req_record->Assign(0, new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT)); + BIO *bio = BIO_new(BIO_s_mem()); - //version - version = ASN1_INTEGER_get(inf->version); - if (version != -1) - ocsp_req_record->Assign(0, new Val((uint64)version, TYPE_COUNT)); - - //requestorName if (inf->requestorName != NULL) { - len = -1; - len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName)); - if (len > 0) - ocsp_req_record->Assign(1, new StringVal(len, buf)); + GENERAL_NAME_print(bio, inf->requestorName); + int len = BIO_read(bio, buf, sizeof(buf)); + ocsp_req_record->Assign(1, new StringVal(len, buf)); + BIO_reset(bio); } - - //deal with details of the request - req_count = OCSP_request_onereq_count(req); - if (req_count <= 0) - goto clean_up; - for (i=0; iAsVectorType()); - RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq); - ocsp_fill_cert_id(cert_id, one_req_bro); - all_req_bro->Assign(all_req_bro->Size(), one_req_bro); + VectorVal* all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType()); + ocsp_req_record->Assign(2, all_req_bro); + + int req_count = OCSP_request_onereq_count(req); + for ( int i=0; iAssign(i, one_req_bro); } - - if (all_req_bro != NULL) - ocsp_req_record->Assign(2, all_req_bro); -clean_up: + + BIO_free(bio); + return ocsp_req_record; } -// parse OCSP response and trigger event -RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) +RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) { - if (resp_val == NULL) - return NULL; - OCSP_RESPONSE *resp = NULL; - OCSP_RESPBYTES *resp_bytes = NULL; - OCSP_CERTID *cert_id = NULL; - OCSP_BASICRESP *basic_resp = NULL; - OCSP_RESPDATA *resp_data = NULL; - OCSP_RESPID *resp_id = NULL; - OCSP_SINGLERESP *single_resp = NULL; - OCSP_REVOKEDINFO *revoked_info = NULL; - OCSP_CERTSTATUS *cert_status = NULL; + OCSP_RESPONSE *resp = resp_val->GetResp(); + OCSP_RESPBYTES *resp_bytes = resp->responseBytes; + OCSP_BASICRESP *basic_resp = nullptr; + OCSP_RESPDATA *resp_data = nullptr; + OCSP_RESPID *resp_id = nullptr; - RecordVal *ocsp_resp_record = NULL; - VectorVal *all_resp_bro = NULL; - - int resp_count = -1, status = -1, i = -1, len = -1; - long version = -1; - - resp = resp_val->GetResp(); - if (resp == NULL) - return NULL; + int resp_count = 0; + VectorVal *all_resp_bro = nullptr; - char buf[OCSP_STRING_BUF_SIZE]; - int buf_len = sizeof(buf); - memset(buf, 0, buf_len); + char buf[OCSP_STRING_BUF_SIZE]; + memset(buf, 0, sizeof(buf)); - ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); - if (!ocsp_resp_record) - { - reporter->Error("Cannot create OCSP response structure: Internal memory error"); - return NULL; - } + RecordVal *ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); - //responseStatus - status = OCSP_response_status(resp); - const char *status_str = OCSP_response_status_str(status); - ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); + const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); + ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); - //responseType - resp_bytes = resp->responseBytes; if (!resp_bytes) - goto clean_up; - len = -1; - len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(resp_bytes->responseType)); - if (len > 0) - ocsp_resp_record->Assign(1, new StringVal(len, buf)); - - //get the basic response + return ocsp_resp_record; + + BIO *bio = BIO_new(BIO_s_mem()); + i2a_ASN1_OBJECT(bio, resp_bytes->responseType); + int len = BIO_read(bio, buf, sizeof(buf)); + ocsp_resp_record->Assign(1, new StringVal(len, buf)); + BIO_reset(bio); + + // get the basic response basic_resp = OCSP_response_get1_basic(resp); - if (!basic_resp) + if ( !basic_resp ) goto clean_up; + resp_data = basic_resp->tbsResponseData; - if (!resp_data) + if ( !resp_data ) goto clean_up; - //version - version = ASN1_INTEGER_get(resp_data->version); - if (version != -1) - ocsp_resp_record->Assign(2, new Val((uint64)version, TYPE_COUNT)); - - //responderID + ocsp_resp_record->Assign(2, new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + // responderID resp_id = resp_data->responderId; - len = -1; - len = OCSP_RESPID_to_cstr(buf, buf_len, resp_id); - if (len > 0) - ocsp_resp_record->Assign(3, new StringVal(len, buf)); + OCSP_RESPID_bio(resp_id, bio); + len = BIO_read(bio, buf, sizeof(buf)); + ocsp_resp_record->Assign(3, new StringVal(len, buf)); + BIO_reset(bio); - //producedAt - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(resp_data->producedAt)); - if (len > 0) - ocsp_resp_record->Assign(4, new StringVal(len, buf)); + // producedAt + ocsp_resp_record->Assign(4, new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME)); - //responses + all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); + ocsp_resp_record->Assign(5, all_resp_bro); + + // responses resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses); - if (resp_count <= 0) - goto clean_up; - for (i=0; iresponses, i); - if (!single_resp) + OCSP_SINGLERESP *single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i); + if ( !single_resp ) continue; - if (all_resp_bro == NULL) - all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); - RecordVal *single_resp_bro = new RecordVal(BifType::Record::OCSP::SingleResp); - //cert id - cert_id = single_resp->certId; - ocsp_fill_cert_id(cert_id, single_resp_bro); + // cert id + OCSP_CERTID *cert_id = single_resp->certId; + RecordVal *single_resp_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::SingleResp, bio); + BIO_reset(bio); - //certStatus - cert_status = single_resp->certStatus; - std::string cert_status_str = OCSP_cert_status_str(cert_status->type); - std::string revoke_reason = ""; - std::string revoke_time = ""; + // certStatus + OCSP_CERTSTATUS *cert_status = single_resp->certStatus; + const char* cert_status_str = OCSP_cert_status_str(cert_status->type); + single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); - //add revocation time and reason if it is revoked - if (cert_status->type == V_OCSP_CERTSTATUS_REVOKED) + // revocation time and reason if revoked + if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED ) { - revoked_info = cert_status->value.revoked; - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime)); - if (len > 0) - revoke_time.assign((const char *)buf, len); + OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked; + single_resp_bro->Assign(5, new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME)); - if (revoked_info->revocationReason) - revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); + if ( revoked_info->revocationReason ) + { + const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); + single_resp_bro->Assign(6, new StringVal(strlen(revoke_reason), revoke_reason)); + } } - if (revoke_time.length() > 0) - cert_status_str += " " + revoke_time; - if (revoke_reason.length() > 0) - cert_status_str += " " + revoke_reason; - single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str())); + single_resp_bro->Assign(7, new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME)); + if ( single_resp->nextUpdate ) + single_resp_bro->Assign(8, new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME)); - //thisUpdate - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->thisUpdate)); - if (len > 0) - single_resp_bro->Assign(5, new StringVal(len, buf)); - - //nextUpdate - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->nextUpdate)); - if (len > 0) - single_resp_bro->Assign(6, new StringVal(len, buf)); - - all_resp_bro->Assign(all_resp_bro->Size(), single_resp_bro); + all_resp_bro->Assign(i, single_resp_bro); } - if (all_resp_bro != NULL) - ocsp_resp_record->Assign(5, all_resp_bro); - //signatureAlgorithm - if (basic_resp->signatureAlgorithm) - { - len = -1; - len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(basic_resp->signatureAlgorithm->algorithm)); - if (len > 0) - ocsp_resp_record->Assign(6, new StringVal(len, buf)); - } - //signature - if (basic_resp->signature) - { - len = -1; - len = ASN1_BIT_STRING_to_cstr(buf, buf_len, (void *)(basic_resp->signature)); - if (len > 0) - ocsp_resp_record->Assign(7, new StringVal(len, buf)); - } + i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); + len = BIO_read(bio, buf, sizeof(buf)); + ocsp_resp_record->Assign(6, new StringVal(len, buf)); + BIO_reset(bio); + + //i2a_ASN1_OBJECT(bio, basic_resp->signature); + //len = BIO_read(bio, buf, sizeof(buf)); + //ocsp_resp_record->Assign(7, new StringVal(len, buf)); + //BIO_reset(bio); + //certs - if (basic_resp->certs) + if ( basic_resp->certs ) { VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); int num_certs = sk_X509_num(basic_resp->certs); - for (i=0; icerts, i)); //::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i)); if (this_cert) certs_vector->Assign(i, new file_analysis::X509Val(this_cert)); else reporter->Weird("OpenSSL returned null certificate"); - } - ocsp_resp_record->Assign(8, certs_vector); + } + ocsp_resp_record->Assign(7, certs_vector); } + clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); + BIO_free(bio); return ocsp_resp_record; } -//OCSP_REQVal OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type) { ocsp_req = arg_ocsp_req; @@ -589,7 +331,7 @@ OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type) { - ocsp_req = NULL; + ocsp_req = nullptr; } OCSP_REQVal::~OCSP_REQVal() @@ -606,7 +348,7 @@ OCSP_REQUEST* OCSP_REQVal::GetReq() const bool OCSP_REQVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal); - unsigned char *buf = NULL; + unsigned char *buf = nullptr; int length = i2d_OCSP_REQUEST(ocsp_req, &buf); if ( length < 0 ) return false; @@ -621,11 +363,11 @@ bool OCSP_REQVal::DoUnserialize(UnserialInfo* info) int length; unsigned char *ocsp_req_buf, *opensslbuf; - + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_req_buf), &length) ) return false; opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really. - ocsp_req = d2i_OCSP_REQUEST(NULL, const_cast(&opensslbuf), length); + ocsp_req = d2i_OCSP_REQUEST(nullptr, const_cast(&opensslbuf), length); delete[] ocsp_req_buf; if ( !ocsp_req ) return false; @@ -641,7 +383,7 @@ OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_o OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type) { - ocsp_resp = NULL; + ocsp_resp = nullptr; } OCSP_RESPVal::~OCSP_RESPVal() @@ -658,7 +400,7 @@ OCSP_RESPONSE* OCSP_RESPVal::GetResp() const bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal); - unsigned char *buf = NULL; + unsigned char *buf = nullptr; int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf); if ( length < 0 ) return false; @@ -673,11 +415,11 @@ bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info) int length; unsigned char *ocsp_resp_buf, *opensslbuf; - + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_resp_buf), &length) ) return false; opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really. - ocsp_resp = d2i_OCSP_RESPONSE(NULL, const_cast(&opensslbuf), length); + ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast(&opensslbuf), length); delete[] ocsp_resp_buf; if ( !ocsp_resp ) return false; diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index ecdba6582d..ab40c13bca 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -24,8 +24,8 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); virtual bool EndOfFile(); - static RecordVal *ParseResponse(OCSP_RESPVal *); - static RecordVal *ParseRequest(OCSP_REQVal *); + static RecordVal *ParseResponse(OCSP_RESPVal *, const char* fid = 0); + static RecordVal *ParseRequest(OCSP_REQVal *, const char* fid = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index da3c6635a8..a98b96f244 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -16,6 +16,8 @@ #include #include +#include "Asn1Time.h" + using namespace file_analysis; IMPLEMENT_SERIAL(X509Val, SER_X509_VAL); @@ -133,8 +135,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* pX509Cert->Assign(3, new StringVal(len, buf)); BIO_free(bio); - pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid), TYPE_TIME)); - pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid), TYPE_TIME)); + pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME)); + pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME)); // we only read 255 bytes because byte 256 is always 0. // if the string is longer than 255, that will be our null-termination, @@ -517,164 +519,6 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key) reporter->InternalError("cannot be reached"); } -double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid) - { - const char *fid = arg_fid ? arg_fid : ""; - time_t lResult = 0; - - char lBuffer[26]; - char* pBuffer = lBuffer; - - const char *pString = (const char *) atime->data; - unsigned int remaining = atime->length; - - if ( atime->type == V_ASN1_UTCTIME ) - { - if ( remaining < 11 || remaining > 17 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); - return 0; - } - - if ( pString[remaining-1] != 'Z' ) - { - // not valid according to RFC 2459 4.1.2.5.1 - reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); - return 0; - } - - // year is first two digits in YY format. Buffer expects YYYY format. - if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 - { - *(pBuffer++) = '2'; - *(pBuffer++) = '0'; - } - else - { - *(pBuffer++) = '1'; - *(pBuffer++) = '9'; - } - - memcpy(pBuffer, pString, 10); - pBuffer += 10; - pString += 10; - remaining -= 10; - } - else if ( atime->type == V_ASN1_GENERALIZEDTIME ) - { - // generalized time. We apparently ignore the YYYYMMDDHH case - // for now and assume we always have minutes and seconds. - // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 - - if ( remaining < 12 || remaining > 23 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); - return 0; - } - - memcpy(pBuffer, pString, 12); - pBuffer += 12; - pString += 12; - remaining -= 12; - } - else - { - reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); - return 0; - } - - if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) - { - *(pBuffer++) = '0'; - *(pBuffer++) = '0'; - } - - else if ( remaining >= 2 ) - { - *(pBuffer++) = *(pString++); - *(pBuffer++) = *(pString++); - - remaining -= 2; - - // Skip any fractional seconds... - if ( (remaining > 0) && (*pString == '.') ) - { - pString++; - remaining--; - - while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) - { - pString++; - remaining--; - } - } - } - - else - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); - return 0; - } - - *(pBuffer++) = 'Z'; - *(pBuffer++) = '\0'; - - time_t lSecondsFromUTC; - - if ( remaining == 0 || *pString == 'Z' ) - lSecondsFromUTC = 0; - else - { - if ( remaining < 5 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); - return 0; - } - - if ((*pString != '+') && (*pString != '-')) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); - return 0; - } - - lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; - lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); - - if (*pString == '-') - lSecondsFromUTC = -lSecondsFromUTC; - } - - tm lTime; - lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); - lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); - lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); - lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); - lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; - lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); - - if ( lTime.tm_year > 1900) - lTime.tm_year -= 1900; - - lTime.tm_wday = 0; - lTime.tm_yday = 0; - lTime.tm_isdst = 0; // No DST adjustment requested - - lResult = mktime(&lTime); - - if ( lResult ) - { - if ( lTime.tm_isdst != 0 ) - lResult -= 3600; // mktime may adjust for DST (OS dependent) - - lResult += lSecondsFromUTC; - } - - else - lResult = 0; - - return lResult; -} - X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type) { certificate = arg_certificate; diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c671c68a99..2681038fc3 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -62,7 +62,6 @@ private: std::string cert_data; // Helpers for ParseCertificate. - static double GetTimeFromAsn1(const ASN1_TIME * atime, const char* fid); static StringVal* KeyCurve(EVP_PKEY *key); static unsigned int KeyLength(EVP_PKEY *key); }; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index 692581c871..97a1eba12e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-38-15 +#open 2017-02-09-00-23-43 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z 1 good 20150711011056Z 20150718011056Z GET -#close 2015-07-15-20-38-15 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CHhAvVGS1DHFjwGM9 sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 1436577056.000000 1 good 1436577056.000000 1437181856.000000 GET +#close 2017-02-09-00-23-43 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 1cb587ca17..366671298b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-25-27 +#open 2017-02-09-00-24-29 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST -#close 2015-07-15-20-25-27 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST +#close 2017-02-09-00-24-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index 881f614583..dc1f8f6657 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-24-10 +#open 2017-02-09-00-24-32 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z POST -#close 2015-07-15-20-24-11 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 POST +#close 2017-02-09-00-24-32 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index 4027016f1d..eab0e0579b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-26-35 +#open 2017-02-09-00-24-34 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z - -#close 2015-07-15-20-26-36 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 - +#close 2017-02-09-00-24-34 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index 8876f251e7..f3889662ee 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-31-20-35-18 +#open 2017-02-09-00-24-36 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CXWv6p3arKYeMETxOg sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707162834Z 1 revoked 20150514145849Z superseded 20150707162834Z 20150929011242Z POST -1438374032.650255 192.168.6.109 41813 23.5.251.27 80 CjhGID4nQcgTWjvg4c sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707212334Z 1 revoked 20150127203801Z unspecified 20150707212334Z 20150930071359Z POST -1438374032.759133 192.168.6.109 41814 23.5.251.27 80 CCvvfg3TEfuqmmG4bh sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707030344Z 1 revoked 20150528055348Z (UNKNOWN) 20150707030344Z 20150928205739Z POST -1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CsRx2w45OKnoww6xl4 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150708020344Z 1 revoked 20150117113259Z keyCompromise 20150708020344Z 20150928165507Z POST -#close 2015-07-31-20-35-18 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CHhAvVGS1DHFjwGM9 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436286514.000000 1 revoked 1436286514.000000 1443489162.000000 POST +1438374032.650255 192.168.6.109 41813 23.5.251.27 80 ClEkJM2Vm5giqnMf4h sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436304214.000000 1 revoked 1436304214.000000 1443597239.000000 POST +1438374032.759133 192.168.6.109 41814 23.5.251.27 80 C4J4Th3PJpwUYZZ6gc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436238224.000000 1 revoked 1436238224.000000 1443473859.000000 POST +1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CtPZjS20MLrsMUOJi2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436321024.000000 1 revoked 1436321024.000000 1443459307.000000 POST +#close 2017-02-09-00-24-36 From 9c6cebf32415aed69d407a2bf173cbc9fdeecb3c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 9 Feb 2017 12:28:00 -0800 Subject: [PATCH 153/288] OCSP: a bunch of whitespace fixes --- scripts/base/files/x509/ocsp.bro | 12 ++++++------ scripts/policy/protocols/ssl/ocsp-stapling.bro | 6 +++--- src/file_analysis/analyzer/x509/functions.bif | 8 ++++---- src/file_analysis/analyzer/x509/ocsp_functions.bif | 4 ++-- src/main.cc | 4 ++-- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro index f417cd6113..078d7f730f 100644 --- a/scripts/base/files/x509/ocsp.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -248,7 +248,7 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t update_http_info(http, req_rec_empty); Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); } - } + } event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 { @@ -294,7 +294,7 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request if ( ! http?$original_uri ) return parsed_req;; local uri_prefix: string = get_uri_prefix(http$original_uri); - http$uri_prefix = uri_prefix; + http$uri_prefix = uri_prefix; local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) @@ -397,11 +397,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if ( ! f$http?$ocsp_responses ) f$http$ocsp_responses = table(); - + if ( cert_id !in f$http$ocsp_responses ) f$http$ocsp_responses[cert_id] = Queue::init(); - Queue::put(f$http$ocsp_responses[cert_id], resp_rec); + Queue::put(f$http$ocsp_responses[cert_id], resp_rec); } } else @@ -468,7 +468,7 @@ function start_log_ocsp(http: HTTP::Info) log_unmatched_reqs(http); return; } - + for ( cert_id in http$ocsp_responses ) { while ( Queue::len(http$ocsp_responses[cert_id]) != 0 ) @@ -502,7 +502,7 @@ function start_log_ocsp(http: HTTP::Info) if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) log_unmatched_reqs(http); } - + # log OCSP information event HTTP::log_http(rec: HTTP::Info) { diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 30f69e3b9a..58e378ab65 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -19,7 +19,7 @@ export { ## size of this response size: count &log; - + ## responseStatus responseStatus: string &log; @@ -34,14 +34,14 @@ export { ## producedAt producedAt: string &log; - + ## NOTE: the following are specific to one cert id ## the above are for one message which may contain ## several responses ## index idx: count &log &optional; - + ## cert id cert_id: OCSP::CertId &log &optional; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e1bddd72e9..0fe65c7d55 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -548,14 +548,14 @@ x509_verify_chainerror: ## cert: The X509 certificate opaque handle. ## ## hash_alg: the hash algorithm to use -## +## ## Returns: A string of hash of issuer name. -## +## ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string - %{ + %{ assert(cert); assert(hash_alg); @@ -583,7 +583,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string return NULL; } - const EVP_MD *dgst; + const EVP_MD *dgst; if (strcmp(h, "sha1") == 0) dgst = EVP_sha1(); else if (strcmp(h, "sha224") == 0) diff --git a/src/file_analysis/analyzer/x509/ocsp_functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif index a5f31f9411..1901b90569 100644 --- a/src/file_analysis/analyzer/x509/ocsp_functions.bif +++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif @@ -11,7 +11,7 @@ ## ## .. bro:see:: ssl_stapled_ocsp ocsp_parse_request function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response - %{ + %{ const unsigned char* start = ocsp_reply->Bytes(); OCSP_RESPONSE *resp = NULL; file_analysis::OCSP_RESPVal* resp_val = NULL; @@ -43,7 +43,7 @@ function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response ## ## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response function ocsp_parse_request%(ocsp_req: string%): OCSP::Request - %{ + %{ const unsigned char* start = ocsp_req->Bytes(); OCSP_REQUEST *req = NULL; file_analysis::OCSP_REQVal* req_val = NULL; diff --git a/src/main.cc b/src/main.cc index 3e1a228644..efda617ba4 100644 --- a/src/main.cc +++ b/src/main.cc @@ -841,9 +841,9 @@ int main(int argc, char** argv) topk_type = new OpaqueType("topk"); bloomfilter_type = new OpaqueType("bloomfilter"); x509_opaque_type = new OpaqueType("x509"); - ocsp_req_opaque_type = new OpaqueType("ocsp_req"); + ocsp_req_opaque_type = new OpaqueType("ocsp_req"); ocsp_resp_opaque_type = new OpaqueType("ocsp_resp"); - + // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is From e1bcc4509f9393dc16151a744ac26f6db7407511 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 9 Feb 2017 15:43:37 -0800 Subject: [PATCH 154/288] OCSP: rewrite events and data structures. Instead of having a big event, that tries to parse all the data into a huge datastructure, we do the more common thing and use a series of smaller events to parse requests and responses. The new events are: ocsp_request -> raised for an ocsp request, giving version and requestor ocsp_request_certificate -> raised n times per request, once per cert ocsp_response_status -> raised for each ocsp response, giving status ocsp_response_bytes -> raised for each ocsp response with information ocsp_response_certificate -> raised for each cert in an ocsp response --- scripts/base/files/x509/__load__.bro | 2 +- scripts/base/init-bare.bro | 54 ----- src/SerialTypes.h | 3 +- src/Type.h | 1 - .../analyzer/x509/CMakeLists.txt | 2 +- src/file_analysis/analyzer/x509/OCSP.cc | 189 +++++++----------- src/file_analysis/analyzer/x509/OCSP.h | 18 +- src/file_analysis/analyzer/x509/events.bif | 2 +- .../analyzer/x509/ocsp_events.bif | 21 +- .../analyzer/x509/ocsp_functions.bif | 68 ------- .../analyzer/x509/ocsp_types.bif | 5 - src/main.cc | 2 - 12 files changed, 90 insertions(+), 277 deletions(-) delete mode 100644 src/file_analysis/analyzer/x509/ocsp_functions.bif delete mode 100644 src/file_analysis/analyzer/x509/ocsp_types.bif diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro index 15c5754b1f..cff81e7254 100644 --- a/scripts/base/files/x509/__load__.bro +++ b/scripts/base/files/x509/__load__.bro @@ -1,2 +1,2 @@ @load ./main -@load ./ocsp +#@load ./ocsp diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d31bf8f0b6..ffee527bb7 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3643,60 +3643,6 @@ export { }; } - -module OCSP; -export { - type OneReq: record { - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; - }; - - type Request: record { - version: count &log &optional; - requestorName: string &log &optional; - requestList: vector of OneReq; - }; - - type SingleResp: record { - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; - certStatus: string &log; - revoketime: time &log &optional; - revokereason: string &log &optional; - thisUpdate: time &log; - nextUpdate: time &log &optional; - }; - - type Response: record { - responseStatus: string &log; - responseType: string &log &optional; - version: count &log &optional; - responderID: string &log &optional; - producedAt: time &log &optional; - responses: vector of SingleResp; - signatureAlgorithm: string &log &optional; - #signature: string &optional; #&log; - certs: vector of opaque of x509 &optional; - }; - - type CertId: record { - hashAlgorithm: string &log &optional; - issuerNameHash: string &log &optional; - issuerKeyHash: string &log &optional; - serialNumber: string &log &optional; - }; - - } - -module GLOBAL; -type ocsp_req_vec: vector of OCSP::OneReq; -type ocsp_resp_vec: vector of OCSP::SingleResp; - - module SOCKS; export { ## This record is for a SOCKS client or server to provide either a diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 6b81227464..8a1a2abf51 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -115,8 +115,7 @@ SERIAL_VAL(CARDINALITY_VAL, 22) SERIAL_VAL(X509_VAL, 23) SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24) SERIAL_VAL(COMM_DATA_VAL, 25) -SERIAL_VAL(OCSP_REQ_VAL, 26) -SERIAL_VAL(OCSP_RESP_VAL, 27) +SERIAL_VAL(OCSP_RESP_VAL, 26) #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR) SERIAL_EXPR(EXPR, 1) diff --git a/src/Type.h b/src/Type.h index f456d1fba2..ab52e10734 100644 --- a/src/Type.h +++ b/src/Type.h @@ -628,7 +628,6 @@ extern OpaqueType* cardinality_type; extern OpaqueType* topk_type; extern OpaqueType* bloomfilter_type; extern OpaqueType* x509_opaque_type; -extern OpaqueType* ocsp_req_opaque_type; extern OpaqueType* ocsp_resp_opaque_type; // Returns the Bro basic (non-parameterized) type with the given type. diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index e95b4ae6e6..409fb3d4ba 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro X509) bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif) +bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index c7747f54ce..a5a1d268e6 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -6,7 +6,6 @@ #include "Event.h" #include "ocsp_events.bif.h" -#include "ocsp_types.bif.h" #include "file_analysis/Manager.h" @@ -28,7 +27,6 @@ X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) using namespace file_analysis; -IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL); #define OCSP_STRING_BUF_SIZE 2048 @@ -51,32 +49,29 @@ static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio) i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING); } -static RecordVal* ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordType* type, BIO* bio) +void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio) { - RecordVal *d = new RecordVal(type); char buf[OCSP_STRING_BUF_SIZE]; memset(buf, 0, sizeof(buf)); i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm); int len = BIO_read(bio, buf, sizeof(buf)); - d->Assign(0, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING); len = BIO_read(bio, buf, sizeof(buf)); - d->Assign(1, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING); len = BIO_read(bio, buf, sizeof(buf)); - d->Assign(2, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); i2a_ASN1_INTEGER(bio, cert_id->serialNumber); - d->Assign(3, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); - - return d; } file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) @@ -123,16 +118,8 @@ bool file_analysis::OCSP::EndOfFile() return false; } - OCSP_REQVal* req_val = new OCSP_REQVal(req); // req_val takes ownership - - RecordVal* req_record = ParseRequest(req_val, GetFile()->GetID().c_str()); - - // and send the record on to scriptland - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(req_val); - vl->append(req_record); - mgr.QueueEvent(ocsp_request, vl); + ParseRequest(req, GetFile()->GetID().c_str()); + OCSP_REQUEST_free(req); } else if (ocsp_type == "response") { @@ -144,14 +131,8 @@ bool file_analysis::OCSP::EndOfFile() } OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership - RecordVal* resp_record = ParseResponse(resp_val, GetFile()->GetID().c_str()); - - // and send the record on to scriptland - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(resp_val); - vl->append(resp_record); - mgr.QueueEvent(ocsp_response, vl); + ParseResponse(resp_val, GetFile()->GetID().c_str()); + Unref(resp_val); } else { @@ -162,46 +143,48 @@ bool file_analysis::OCSP::EndOfFile() return true; } -RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val, const char* fid) +void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid) { - OCSP_REQUEST *req = req_val->GetReq(); OCSP_REQINFO *inf = req->tbsRequest; char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions memset(buf, 0, sizeof(buf)); - RecordVal* ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); - - ocsp_req_record->Assign(0, new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT)); + // build up our response as we go along... + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT)); BIO *bio = BIO_new(BIO_s_mem()); if (inf->requestorName != NULL) { GENERAL_NAME_print(bio, inf->requestorName); int len = BIO_read(bio, buf, sizeof(buf)); - ocsp_req_record->Assign(1, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); } + else + vl->append(new StringVal(0, "")); - VectorVal* all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType()); - ocsp_req_record->Assign(2, all_req_bro); + mgr.QueueEvent(ocsp_request, vl); int req_count = OCSP_request_onereq_count(req); for ( int i=0; iappend(GetFile()->GetVal()->Ref()); + OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i); OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req); - RecordVal* one_req_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::OneReq, bio); - all_req_bro->Assign(i, one_req_bro); + ocsp_add_cert_id(cert_id, rvl, bio); + mgr.QueueEvent(ocsp_request_certificate, rvl); } BIO_free(bio); - - return ocsp_req_record; } -RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) +void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) { OCSP_RESPONSE *resp = resp_val->GetResp(); OCSP_RESPBYTES *resp_bytes = resp->responseBytes; @@ -210,24 +193,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char OCSP_RESPID *resp_id = nullptr; int resp_count = 0; - VectorVal *all_resp_bro = nullptr; + VectorVal *certs_vector = nullptr; + int len = 0; char buf[OCSP_STRING_BUF_SIZE]; memset(buf, 0, sizeof(buf)); - RecordVal *ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); - ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); + StringVal* status_val = new StringVal(strlen(status_str), status_str); + vl->append(status_val->Ref()); + mgr.QueueEvent(ocsp_response_status, vl); + vl = nullptr; if (!resp_bytes) - return ocsp_resp_record; + { + Unref(status_val); + return; + } BIO *bio = BIO_new(BIO_s_mem()); - i2a_ASN1_OBJECT(bio, resp_bytes->responseType); - int len = BIO_read(bio, buf, sizeof(buf)); - ocsp_resp_record->Assign(1, new StringVal(len, buf)); - BIO_reset(bio); + //i2a_ASN1_OBJECT(bio, resp_bytes->responseType); + //int len = BIO_read(bio, buf, sizeof(buf)); + //BIO_reset(bio); // get the basic response basic_resp = OCSP_response_get1_basic(resp); @@ -238,19 +228,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char if ( !resp_data ) goto clean_up; - ocsp_resp_record->Assign(2, new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(resp_val->Ref()); + vl->append(status_val); + vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + // responderID resp_id = resp_data->responderId; OCSP_RESPID_bio(resp_id, bio); len = BIO_read(bio, buf, sizeof(buf)); - ocsp_resp_record->Assign(3, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); // producedAt - ocsp_resp_record->Assign(4, new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME)); - - all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); - ocsp_resp_record->Assign(5, all_resp_bro); + vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME)); // responses resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses); @@ -260,39 +252,51 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char if ( !single_resp ) continue; + val_list* rvl = new val_list(); + rvl->append(GetFile()->GetVal()->Ref()); + // cert id OCSP_CERTID *cert_id = single_resp->certId; - RecordVal *single_resp_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::SingleResp, bio); + ocsp_add_cert_id(cert_id, rvl, bio); BIO_reset(bio); // certStatus OCSP_CERTSTATUS *cert_status = single_resp->certStatus; const char* cert_status_str = OCSP_cert_status_str(cert_status->type); - single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); + rvl->append(new StringVal(strlen(cert_status_str), cert_status_str)); // revocation time and reason if revoked if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED ) { OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked; - single_resp_bro->Assign(5, new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME)); if ( revoked_info->revocationReason ) { const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); - single_resp_bro->Assign(6, new StringVal(strlen(revoke_reason), revoke_reason)); + rvl->append(new StringVal(strlen(revoke_reason), revoke_reason)); } + else + rvl->append(new StringVal(0, "")); + } + else + { + rvl->append(new Val(0, TYPE_TIME)); + rvl->append(new StringVal(0, "")); } - single_resp_bro->Assign(7, new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME)); if ( single_resp->nextUpdate ) - single_resp_bro->Assign(8, new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME)); + else + rvl->append(new Val(0, TYPE_TIME)); - all_resp_bro->Assign(i, single_resp_bro); + mgr.QueueEvent(ocsp_response_certificate, rvl); } i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); len = BIO_read(bio, buf, sizeof(buf)); - ocsp_resp_record->Assign(6, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); //i2a_ASN1_OBJECT(bio, basic_resp->signature); @@ -300,10 +304,10 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char //ocsp_resp_record->Assign(7, new StringVal(len, buf)); //BIO_reset(bio); - //certs + certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); + vl->append(certs_vector); if ( basic_resp->certs ) { - VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); int num_certs = sk_X509_num(basic_resp->certs); for ( int i=0; iWeird("OpenSSL returned null certificate"); } - ocsp_resp_record->Assign(7, certs_vector); } + mgr.QueueEvent(ocsp_response_bytes, vl); clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); BIO_free(bio); - return ocsp_resp_record; } -OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type) - { - ocsp_req = arg_ocsp_req; - } - -OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type) - { - ocsp_req = nullptr; - } - -OCSP_REQVal::~OCSP_REQVal() - { - if (ocsp_req) - OCSP_REQUEST_free(ocsp_req); - } - -OCSP_REQUEST* OCSP_REQVal::GetReq() const - { - return ocsp_req; - } - -bool OCSP_REQVal::DoSerialize(SerialInfo* info) const - { - DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal); - unsigned char *buf = nullptr; - int length = i2d_OCSP_REQUEST(ocsp_req, &buf); - if ( length < 0 ) - return false; - bool res = SERIALIZE_STR(reinterpret_cast(buf), length); - OPENSSL_free(buf); - return res; - } - -bool OCSP_REQVal::DoUnserialize(UnserialInfo* info) - { - DO_UNSERIALIZE(OpaqueVal) - - int length; - unsigned char *ocsp_req_buf, *opensslbuf; - - if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_req_buf), &length) ) - return false; - opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really. - ocsp_req = d2i_OCSP_REQUEST(nullptr, const_cast(&opensslbuf), length); - delete[] ocsp_req_buf; - if ( !ocsp_req ) - return false; - return true; - } - - -//OCSP_RESPVal OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) { ocsp_resp = arg_ocsp_resp; diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index ab40c13bca..2ab9b014fd 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -15,7 +15,6 @@ namespace file_analysis { -class OCSP_REQVal; class OCSP_RESPVal; class OCSP : public file_analysis::Analyzer { @@ -24,8 +23,6 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); virtual bool EndOfFile(); - static RecordVal *ParseResponse(OCSP_RESPVal *, const char* fid = 0); - static RecordVal *ParseRequest(OCSP_REQVal *, const char* fid = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); @@ -33,22 +30,13 @@ protected: OCSP(RecordVal* args, File* file, const string& ocsp_type); private: + void ParseResponse(OCSP_RESPVal *, const char* fid = 0); + void ParseRequest(OCSP_REQUEST *, const char* fid = 0); + std::string ocsp_data; std::string ocsp_type; }; -class OCSP_REQVal: public OpaqueVal { -public: - explicit OCSP_REQVal(OCSP_REQUEST *); - ~OCSP_REQVal(); - OCSP_REQUEST *GetReq() const; -protected: - OCSP_REQVal(); -private: - OCSP_REQUEST *ocsp_req; - DECLARE_SERIAL(OCSP_REQVal); -}; - class OCSP_RESPVal: public OpaqueVal { public: explicit OCSP_RESPVal(OCSP_RESPONSE *); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index fcdeaa31d1..5f435faad8 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -1,4 +1,4 @@ -## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS +## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS ## connection handshake. ## ## See `Wikipedia `__ for more information diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index b956e2c12e..2a1e5805c9 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -1,18 +1,19 @@ -## Generated for encountered OCSP request -## +## Event that is raised when encountering an OCSP request, e.g. in an HTTP +## connection. See :rfc:`6960` for more details. ## ## f: The file. ## -## req_ref: An opaque pointer to the underlying OpenSSL data structure of the -## OCSP request +## req: version: the version of the OCSP request. Typically 0 (Version 1). ## -## req: The parsed OCSP request information. +## requestorName: name of the OCSP requestor. This attribute is optional; if +## it is not set, an empty string is returned here. ## -event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%); +event ocsp_request%(f: fa_file, version: count, requestorName: string%); + +event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%); ## Generated for encountered OCSP response ## -## ## f: The file. ## ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the @@ -20,4 +21,8 @@ event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request% ## ## req: The parsed OCSP response information. ## -event ocsp_response%(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response%); +event ocsp_response_status%(f: fa_file, status: string%); + +event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); + +event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%); diff --git a/src/file_analysis/analyzer/x509/ocsp_functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif deleted file mode 100644 index 1901b90569..0000000000 --- a/src/file_analysis/analyzer/x509/ocsp_functions.bif +++ /dev/null @@ -1,68 +0,0 @@ -%%{ -#include "file_analysis/analyzer/x509/OCSP.h" -#include "ocsp_types.bif.h" -%%} - -## Parses a OCSP response into an OCSP::Response structure. -## -## ocsp_reply: OCSP data. -## -## Returns: A OCSP::Response structure. -## -## .. bro:see:: ssl_stapled_ocsp ocsp_parse_request -function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response - %{ - const unsigned char* start = ocsp_reply->Bytes(); - OCSP_RESPONSE *resp = NULL; - file_analysis::OCSP_RESPVal* resp_val = NULL; - RecordVal* resp_record = NULL; - resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len()); - if ( ! resp ) - { - reporter->Weird("OPENSSL Could not parse OCSP response"); - return NULL; - } - resp_val = new file_analysis::OCSP_RESPVal(resp); - resp_record = file_analysis::OCSP::ParseResponse(resp_val); - if (!resp_record) - { - reporter->Weird("Internal fail to parse OCSP response"); - Unref(resp_val); - return NULL; - } - Unref(resp_val); - //Unref(resp_record); - return resp_record; - %} - -## Parses a OCSP request into an OCSP::Request structure. -## -## ocsp_req: OCSP data. -## -## Returns: A OCSP::Request structure. -## -## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response -function ocsp_parse_request%(ocsp_req: string%): OCSP::Request - %{ - const unsigned char* start = ocsp_req->Bytes(); - OCSP_REQUEST *req = NULL; - file_analysis::OCSP_REQVal* req_val = NULL; - RecordVal* req_record = NULL; - req = d2i_OCSP_REQUEST(NULL, &start, ocsp_req->Len()); - if ( ! req ) - { - reporter->Weird("OPENSSL Could not parse OCSP request"); - return NULL; - } - req_val = new file_analysis::OCSP_REQVal(req); - req_record = file_analysis::OCSP::ParseRequest(req_val); - if (!req_record) - { - reporter->Weird("Internal fail to parse OCSP request"); - Unref(req_val); - return NULL; - } - Unref(req_val); - //Unref(req_record); - return req_record; - %} diff --git a/src/file_analysis/analyzer/x509/ocsp_types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif deleted file mode 100644 index 8d8cb5dd9b..0000000000 --- a/src/file_analysis/analyzer/x509/ocsp_types.bif +++ /dev/null @@ -1,5 +0,0 @@ -type OCSP::Request: record; -type OCSP::Response: record; -type OCSP::OneReq: record; -type OCSP::SingleResp: record; -type OCSP::CertId: record; diff --git a/src/main.cc b/src/main.cc index efda617ba4..11df1af0c2 100644 --- a/src/main.cc +++ b/src/main.cc @@ -129,7 +129,6 @@ OpaqueType* cardinality_type = 0; OpaqueType* topk_type = 0; OpaqueType* bloomfilter_type = 0; OpaqueType* x509_opaque_type = 0; -OpaqueType* ocsp_req_opaque_type = 0; OpaqueType* ocsp_resp_opaque_type = 0; // Keep copy of command line @@ -841,7 +840,6 @@ int main(int argc, char** argv) topk_type = new OpaqueType("topk"); bloomfilter_type = new OpaqueType("bloomfilter"); x509_opaque_type = new OpaqueType("x509"); - ocsp_req_opaque_type = new OpaqueType("ocsp_req"); ocsp_resp_opaque_type = new OpaqueType("ocsp_resp"); // The leak-checker tends to produce some false From 1b19ab78b63ee212434f932e3d49fa229ef8631c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 9 Feb 2017 16:14:08 -0800 Subject: [PATCH 155/288] OCSP: split into two analysers in scriptland. Instead of having an additional string argument specifying if we are sending a request or a reply, we now have an ANALYZER_OCSP_REQUEST and an ANALYZER_OCSP_REPLY --- scripts/base/files/x509/ocsp.bro | 4 ++-- src/file_analysis/analyzer/x509/OCSP.cc | 29 +++++++++-------------- src/file_analysis/analyzer/x509/OCSP.h | 8 +++---- src/file_analysis/analyzer/x509/Plugin.cc | 3 ++- 4 files changed, 19 insertions(+), 25 deletions(-) diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro index 078d7f730f..cb8c340c64 100644 --- a/scripts/base/files/x509/ocsp.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -13,7 +13,7 @@ export { ocsp_type: string &optional; }; - ## ocsp logging + ## ocsp logging redef enum Log::ID += { LOG }; ## type for pending ocsp request @@ -23,7 +23,7 @@ export { ## one ocsp request record type Info_req: record { ## time for the request - ts: time; + ts: time; ## file id for this request or ## hash of the GET url if it's GET request id: string &log &optional; diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index a5a1d268e6..e3ac124260 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -74,21 +74,19 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio) BIO_reset(bio); } -file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) +file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file) { - Val* ocsp_type = get_ocsp_type(args, "ocsp_type"); - - if (! ocsp_type ) - return 0; - - return new OCSP(args, file, ocsp_type->AsString()->CheckString()); + return new OCSP(args, file, true); } -file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type) - : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file) +file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file) + { + return new OCSP(args, file, false); + } + +file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request) + : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request) { - ocsp_type = arg_ocsp_type; - ocsp_data.clear(); } bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len) @@ -108,7 +106,7 @@ bool file_analysis::OCSP::EndOfFile() { const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); - if (ocsp_type == "request") + if ( request ) { OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); @@ -121,7 +119,7 @@ bool file_analysis::OCSP::EndOfFile() ParseRequest(req, GetFile()->GetID().c_str()); OCSP_REQUEST_free(req); } - else if (ocsp_type == "response") + else { OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); if (!resp) @@ -134,11 +132,6 @@ bool file_analysis::OCSP::EndOfFile() ParseResponse(resp_val, GetFile()->GetID().c_str()); Unref(resp_val); } - else - { - reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str())); - return false; - } return true; } diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 2ab9b014fd..4c3ebed525 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -23,18 +23,18 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); virtual bool EndOfFile(); - - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); + static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file); + static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file); protected: - OCSP(RecordVal* args, File* file, const string& ocsp_type); + OCSP(RecordVal* args, File* file, bool request); private: void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0); std::string ocsp_data; - std::string ocsp_type; + bool request = false; // true if ocsp request, false if reply }; class OCSP_RESPVal: public OpaqueVal { diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc index 5a0b67136a..31dbe346a8 100644 --- a/src/file_analysis/analyzer/x509/Plugin.cc +++ b/src/file_analysis/analyzer/x509/Plugin.cc @@ -14,7 +14,8 @@ public: plugin::Configuration Configure() { AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); - AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); + AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest)); + AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply)); plugin::Configuration config; config.name = "Bro::X509"; From 9fd78165018aeb036787dc788b10daa0f5eb73fc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 12:34:23 -0800 Subject: [PATCH 156/288] Allow File analyzers to direcly pass mime type. This makes it much easier for protocols where the mime type is known in advance like, for example, TLS. We now do no longer have to perform deep script-level magic. --- scripts/base/files/x509/main.bro | 9 ++++++++ scripts/base/init-bare.bro | 3 +++ scripts/base/protocols/krb/files.bro | 6 ----- scripts/base/protocols/rdp/main.bro | 4 ---- scripts/base/protocols/ssl/files.bro | 6 ----- src/analyzer/protocol/krb/krb-padata.pac | 8 +++---- src/analyzer/protocol/rdp/rdp-analyzer.pac | 2 +- .../protocol/ssl/proc-certificate.pac | 5 +++- src/file_analysis/File.cc | 23 +++++++++++++++++++ src/file_analysis/File.h | 20 ++++++++++++++++ src/file_analysis/Manager.cc | 11 +++++++-- src/file_analysis/Manager.h | 18 +++++++++++++-- 12 files changed, 89 insertions(+), 26 deletions(-) diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index bbf99f6a4d..44ea83fc39 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -38,6 +38,15 @@ export { event bro_init() &priority=5 { Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]); + + Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); + Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); + # Always calculate hashes. They are not necessary for base scripts + # but very useful for identification, and required for policy scripts + Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert"); + Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert"); + Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert"); } redef record Files::Info += { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index ffee527bb7..f3421fd557 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -446,6 +446,9 @@ type fa_metadata: record { mime_type: string &optional; ## All matching mime types if any were discovered. mime_types: mime_matches &optional; + ## Specifies if the mime type was inferred using signatures, + ## or provided by the protocol the file appeared in. + inferred: bool &default=T; }; ## Fields of a SYN packet. diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index cd2127c605..947c2db41a 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -101,12 +101,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori } c$krb = info; - - Files::add_analyzer(f, Files::ANALYZER_X509); - # Always calculate hashes. They are not necessary for base scripts - # but very useful for identification, and required for policy scripts - Files::add_analyzer(f, Files::ANALYZER_MD5); - Files::add_analyzer(f, Files::ANALYZER_SHA1); } function fill_in_subjects(c: connection) diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro index c6d550c3f7..f543fd2cae 100644 --- a/scripts/base/protocols/rdp/main.bro +++ b/scripts/base/protocols/rdp/main.bro @@ -236,10 +236,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori { # Count up X509 certs. ++c$rdp$cert_count; - - Files::add_analyzer(f, Files::ANALYZER_X509); - Files::add_analyzer(f, Files::ANALYZER_MD5); - Files::add_analyzer(f, Files::ANALYZER_SHA1); } } diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index fad0fa0483..8a1380a270 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -114,12 +114,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info; c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id; } - - Files::add_analyzer(f, Files::ANALYZER_X509); - # Always calculate hashes. They are not necessary for base scripts - # but very useful for identification, and required for policy scripts. - Files::add_analyzer(f, Files::ANALYZER_MD5); - Files::add_analyzer(f, Files::ANALYZER_SHA1); } event ssl_established(c: connection) &priority=6 diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index b178239f4d..4667ab1677 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -75,8 +75,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a string file_id = file_mgr->HashHandle(file_handle.Description()); file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), true, file_id); + cert.length(), bro_analyzer->GetAnalyzerTag(), + bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); break; @@ -99,8 +99,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a string file_id = file_mgr->HashHandle(file_handle.Description()); file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), false, file_id); + cert.length(), bro_analyzer->GetAnalyzerTag(), + bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); break; diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index 01b47e9478..1ba2c465d8 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -142,7 +142,7 @@ refine flow RDP_Flow += { connection()->bro_analyzer()->GetAnalyzerTag(), connection()->bro_analyzer()->Conn(), false, // It seems there are only server certs? - file_id); + file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); return true; diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index c2353e3a88..ee2247e5be 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -9,6 +9,9 @@ common.AddRaw(is_orig ? "T" : "F", 1); bro_analyzer()->Conn()->IDString(&common); + string user_mime = "application/x-x509-user-cert"; + string ca_mime = "application/x-x509-ca-cert"; + for ( unsigned int i = 0; i < certificates->size(); ++i ) { const bytestring& cert = (*certificates)[i]; @@ -21,7 +24,7 @@ file_mgr->DataIn(reinterpret_cast(cert.data()), cert.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), is_orig, file_id); + bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime); file_mgr->EndOfFile(file_id); } return true; diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 46e67f7cd8..2d9017a338 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -55,6 +55,7 @@ int File::bof_buffer_size_idx = -1; int File::bof_buffer_idx = -1; int File::meta_mime_type_idx = -1; int File::meta_mime_types_idx = -1; +int File::meta_inferred_idx = -1; void File::StaticInit() { @@ -76,6 +77,7 @@ void File::StaticInit() bof_buffer_idx = Idx("bof_buffer", fa_file_type); meta_mime_type_idx = Idx("mime_type", fa_metadata_type); meta_mime_types_idx = Idx("mime_types", fa_metadata_type); + meta_inferred_idx = Idx("inferred", fa_metadata_type); } File::File(const string& file_id, const string& source_name, Connection* conn, @@ -290,6 +292,27 @@ void File::SetReassemblyBuffer(uint64 max) reassembly_max_buffer = max; } +bool File::SetMime(const string& mime_type) + { + if ( mime_type.empty() || bof_buffer.size != 0 ) + return false; + + did_metadata_inference = true; + bof_buffer.full = true; + + if ( ! FileEventAvailable(file_sniff) ) + return false; + + val_list* vl = new val_list(); + vl->append(val->Ref()); + RecordVal* meta = new RecordVal(fa_metadata_type); + vl->append(meta); + meta->Assign(meta_mime_type_idx, new StringVal(mime_type)); + meta->Assign(meta_inferred_idx, new Val(0, TYPE_BOOL)); + FileEvent(file_sniff, vl); + return true; + } + void File::InferMetadata() { did_metadata_inference = true; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index c799907a8f..c52d9efbc4 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -171,6 +171,25 @@ public: */ void FileEvent(EventHandlerPtr h, val_list* vl); + + /** + * Sets the MIME type for a file to a specific value. + * + * Setting the MIME type has to be done before the MIME type is + * inferred from the content. After a MIME type has been set once, + * it cannot be changed anymore. + * + * This function should only be called when it does not make sense + * to perform automated MIME type detections. This is e.g. the case + * in protocols where the file type is fixed in the protocol description. + * This is for example the case for TLS and X.509 certificates. + * + * @param mime_type mime type to set + * @return true if the mime type was set. False if it could not be set because + * a mime type was already set or inferred. + */ + bool SetMime(const string& mime_type); + protected: friend class Manager; friend class FileReassembler; @@ -319,6 +338,7 @@ protected: static int bof_buffer_idx; static int mime_type_idx; static int mime_types_idx; + static int meta_inferred_idx; static int meta_mime_type_idx; static int meta_mime_types_idx; diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 217c901969..3140a1e9db 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -110,7 +110,7 @@ void Manager::SetHandle(const string& handle) string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, analyzer::Tag tag, Connection* conn, bool is_orig, - const string& precomputed_id) + const string& precomputed_id, const string& mime_type) { string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id; File* file = GetFile(id, conn, tag, is_orig); @@ -118,6 +118,9 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, if ( ! file ) return ""; + if ( ! mime_type.empty() ) + file->SetMime(mime_type); + file->DataIn(data, len, offset); if ( file->IsComplete() ) @@ -130,7 +133,8 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, } string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag, - Connection* conn, bool is_orig, const string& precomputed_id) + Connection* conn, bool is_orig, const string& precomputed_id, + const string& mime_type) { string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id; // Sequential data input shouldn't be going over multiple conns, so don't @@ -140,6 +144,9 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag, if ( ! file ) return ""; + if ( ! mime_type.empty() ) + file->SetMime(mime_type); + file->DataIn(data, len); if ( file->IsComplete() ) diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index bcc8ac5dd2..d4ab6c8dfc 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -93,6 +93,12 @@ public: * or false if is being sent in the opposite direction. * @param precomputed_file_id may be set to a previous return value in order to * bypass costly file handle lookups. + * @param mime_type may be set to the mime type of the file, if already known due + * to the protocol. This is, e.g., the case in TLS connections where X.509 + * certificates are passed as files; here the type of the file is set by + * the protocol. If this parameter is give, mime type detection will be + * disabled. + * This parameter is only used for the first bit of data for each file. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through @@ -101,7 +107,8 @@ public: */ std::string DataIn(const u_char* data, uint64 len, uint64 offset, analyzer::Tag tag, Connection* conn, bool is_orig, - const std::string& precomputed_file_id = ""); + const std::string& precomputed_file_id = "", + const std::string& mime_type = ""); /** * Pass in sequential file data. @@ -113,6 +120,12 @@ public: * or false if is being sent in the opposite direction. * @param precomputed_file_id may be set to a previous return value in order to * bypass costly file handle lookups. + * @param mime_type may be set to the mime type of the file, if already known due + * to the protocol. This is, e.g., the case in TLS connections where X.509 + * certificates are passed as files; here the type of the file is set by + * the protocol. If this parameter is give, mime type detection will be + * disabled. + * This parameter is only used for the first bit of data for each file. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through @@ -121,7 +134,8 @@ public: */ std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag, Connection* conn, bool is_orig, - const std::string& precomputed_file_id = ""); + const std::string& precomputed_file_id = "", + const std::string& mime_type = ""); /** * Pass in sequential file data from external source (e.g. input framework). From 8b50a1e09b21ae57632091542d668e626a4a1ee8 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 12:47:24 -0800 Subject: [PATCH 157/288] SSL: parse OCSP stapled extension as file --- .../protocol/ssl/tls-handshake-analyzer.pac | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index e16606a0b0..799162a32f 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -211,13 +211,31 @@ refine connection Handshake_Conn += { function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ - if ( status_type == 1 || status_type == 2 ) // ocsp + ODesc common; + common.AddRaw("Analyzer::ANALYZER_SSL"); + common.Add(bro_analyzer()->Conn()->StartTime()); + common.AddRaw("F"); + bro_analyzer()->Conn()->IDString(&common); + + if ( status_type == 1 || status_type == 2 ) // ocsp { + ODesc file_handle; + file_handle.Add(common.Description()); + file_handle.Add("ocsp"); + + string file_id = file_mgr->HashHandle(file_handle.Description()); + + file_mgr->DataIn(reinterpret_cast(response.data()), + response.length(), bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); + BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), (const char*) response.data()), status_type); + + } return true; %} From cdcc21ea4bfc57c8adf53685868d8fea5b0d1613 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 13:31:15 -0800 Subject: [PATCH 158/288] OCSP: generic extension parsing. Raises ocsp_extension event if an extension is present in the reply or in one of the singlereplies. --- src/file_analysis/analyzer/x509/OCSP.cc | 75 ++++++++++++++++++- src/file_analysis/analyzer/x509/OCSP.h | 1 + src/file_analysis/analyzer/x509/X509.cc | 1 + .../analyzer/x509/ocsp_events.bif | 2 + 4 files changed, 78 insertions(+), 1 deletion(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index e3ac124260..704df3a6db 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -3,8 +3,10 @@ #include #include "OCSP.h" +#include "X509.h" #include "Event.h" +#include "types.bif.h" #include "ocsp_events.bif.h" #include "file_analysis/Manager.h" @@ -185,7 +187,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) OCSP_RESPDATA *resp_data = nullptr; OCSP_RESPID *resp_id = nullptr; - int resp_count = 0; + int resp_count, num_ext = 0; VectorVal *certs_vector = nullptr; int len = 0; @@ -285,6 +287,16 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) rvl->append(new Val(0, TYPE_TIME)); mgr.QueueEvent(ocsp_response_certificate, rvl); + + num_ext = OCSP_SINGLERESP_get_ext_count(single_resp); + for ( int k = 0; k < num_ext; ++k ) + { + X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k); + if ( ! ex ) + continue; + + ParseExtension(ex, false); + } } i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); @@ -314,12 +326,73 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) } mgr.QueueEvent(ocsp_response_bytes, vl); + // ok, now that we are done with the actual certificate - let's parse extensions :) + num_ext = OCSP_BASICRESP_get_ext_count(basic_resp); + for ( int k = 0; k < num_ext; ++k ) + { + X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k); + if ( ! ex ) + continue; + + ParseExtension(ex, true); + } + + clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); BIO_free(bio); } +// This is a near copy from X509 +void file_analysis::OCSP::ParseExtension(X509_EXTENSION* ex, bool global) + { + char name[256]; + char oid[256]; + + ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); + const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); + + OBJ_obj2txt(name, 255, ext_asn, 0); + OBJ_obj2txt(oid, 255, ext_asn, 1); + + int critical = 0; + if ( X509_EXTENSION_get_critical(ex) != 0 ) + critical = 1; + + BIO *bio = BIO_new(BIO_s_mem()); + if( ! X509V3_EXT_print(bio, ex, 0, 0)) + M_ASN1_OCTET_STRING_print(bio,ex->value); + + StringVal* ext_val = X509::GetExtensionFromBIO(bio); + + if ( ! ext_val ) + ext_val = new StringVal(0, ""); + + RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); + pX509Ext->Assign(0, new StringVal(name)); + + if ( short_name and strlen(short_name) > 0 ) + pX509Ext->Assign(1, new StringVal(short_name)); + + pX509Ext->Assign(2, new StringVal(oid)); + pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); + pX509Ext->Assign(4, ext_val); + + // send off generic extension event + // + // and then look if we have a specialized event for the extension we just + // parsed. And if we have it, we send the specialized event on top of the + // generic event that we just had. I know, that is... kind of not nice, + // but I am not sure if there is a better way to do it... + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(pX509Ext); + vl->append(new Val(global ? 1 : 0, TYPE_BOOL)); + + mgr.QueueEvent(ocsp_extension, vl); + } + OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) { ocsp_resp = arg_ocsp_resp; diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 4c3ebed525..f3560ecea4 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -32,6 +32,7 @@ protected: private: void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0); + void ParseExtension(X509_EXTENSION*, bool global); std::string ocsp_data; bool request = false; // true if ocsp request, false if reply diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index a98b96f244..5c6eb2a5ee 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -248,6 +248,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio) return ext_val; } +// this is nearly replicated in the OCSP analyzer void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) { char name[256]; diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index 2a1e5805c9..76208c210e 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -26,3 +26,5 @@ event ocsp_response_status%(f: fa_file, status: string%); event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%); + +event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%); From c550521221561809050cddfa7e8d2a11dcaaae84 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 15:18:52 -0800 Subject: [PATCH 159/288] OCSP: parse signed certificate timestamps With this change, we also parse signed certificate timestamps from OCSP replies. This introduces a common base class between the OCSP and X509 analyzer, which now share a bit of common code. The event for signed certificate timestamps is raised by both and thus renamed do: x509_ocsp_ext_signed_certificate_timestamp --- src/file_analysis/analyzer/x509/Asn1Time.h | 157 --------- .../analyzer/x509/CMakeLists.txt | 2 +- src/file_analysis/analyzer/x509/OCSP.cc | 61 +--- src/file_analysis/analyzer/x509/OCSP.h | 13 +- src/file_analysis/analyzer/x509/X509.cc | 170 ++-------- src/file_analysis/analyzer/x509/X509.h | 27 +- src/file_analysis/analyzer/x509/X509Common.cc | 315 ++++++++++++++++++ src/file_analysis/analyzer/x509/X509Common.h | 44 +++ src/file_analysis/analyzer/x509/events.bif | 2 +- .../analyzer/x509/x509-extension.pac | 2 +- .../x509/signed_certificate_timestamp.test | 2 +- 11 files changed, 404 insertions(+), 391 deletions(-) delete mode 100644 src/file_analysis/analyzer/x509/Asn1Time.h create mode 100644 src/file_analysis/analyzer/x509/X509Common.cc create mode 100644 src/file_analysis/analyzer/x509/X509Common.h diff --git a/src/file_analysis/analyzer/x509/Asn1Time.h b/src/file_analysis/analyzer/x509/Asn1Time.h deleted file mode 100644 index 31013ec2a7..0000000000 --- a/src/file_analysis/analyzer/x509/Asn1Time.h +++ /dev/null @@ -1,157 +0,0 @@ -static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) - { - const char *fid = arg_fid ? arg_fid : ""; - time_t lResult = 0; - - char lBuffer[26]; - char* pBuffer = lBuffer; - - const char *pString = (const char *) atime->data; - unsigned int remaining = atime->length; - - if ( atime->type == V_ASN1_UTCTIME ) - { - if ( remaining < 11 || remaining > 17 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); - return 0; - } - - if ( pString[remaining-1] != 'Z' ) - { - // not valid according to RFC 2459 4.1.2.5.1 - reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); - return 0; - } - - // year is first two digits in YY format. Buffer expects YYYY format. - if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 - { - *(pBuffer++) = '2'; - *(pBuffer++) = '0'; - } - else - { - *(pBuffer++) = '1'; - *(pBuffer++) = '9'; - } - - memcpy(pBuffer, pString, 10); - pBuffer += 10; - pString += 10; - remaining -= 10; - } - else if ( atime->type == V_ASN1_GENERALIZEDTIME ) - { - // generalized time. We apparently ignore the YYYYMMDDHH case - // for now and assume we always have minutes and seconds. - // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 - - if ( remaining < 12 || remaining > 23 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); - return 0; - } - - memcpy(pBuffer, pString, 12); - pBuffer += 12; - pString += 12; - remaining -= 12; - } - else - { - reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); - return 0; - } - - if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) - { - *(pBuffer++) = '0'; - *(pBuffer++) = '0'; - } - - else if ( remaining >= 2 ) - { - *(pBuffer++) = *(pString++); - *(pBuffer++) = *(pString++); - - remaining -= 2; - - // Skip any fractional seconds... - if ( (remaining > 0) && (*pString == '.') ) - { - pString++; - remaining--; - - while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) - { - pString++; - remaining--; - } - } - } - - else - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); - return 0; - } - - *(pBuffer++) = 'Z'; - *(pBuffer++) = '\0'; - - time_t lSecondsFromUTC; - - if ( remaining == 0 || *pString == 'Z' ) - lSecondsFromUTC = 0; - else - { - if ( remaining < 5 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); - return 0; - } - - if ((*pString != '+') && (*pString != '-')) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); - return 0; - } - - lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; - lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); - - if (*pString == '-') - lSecondsFromUTC = -lSecondsFromUTC; - } - - tm lTime; - lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); - lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); - lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); - lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); - lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; - lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); - - if ( lTime.tm_year > 1900) - lTime.tm_year -= 1900; - - lTime.tm_wday = 0; - lTime.tm_yday = 0; - lTime.tm_isdst = 0; // No DST adjustment requested - - lResult = mktime(&lTime); - - if ( lResult ) - { - if ( lTime.tm_isdst != 0 ) - lResult -= 3600; // mktime may adjust for DST (OS dependent) - - lResult += lSecondsFromUTC; - } - - else - lResult = 0; - - return lResult; -} diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index 1eb3732022..a4c5767e56 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro X509) -bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) +bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc) bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif) bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 704df3a6db..1c27720e36 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -17,7 +17,6 @@ #include #include "file_analysis/analyzer/x509/X509.h" -#include "Asn1Time.h" // helper function of sk_X509_value to avoid namespace problem // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) @@ -87,7 +86,7 @@ file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file) } file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request) - : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request) + : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request) { } @@ -295,7 +294,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) if ( ! ex ) continue; - ParseExtension(ex, false); + ParseExtension(ex, ocsp_extension, false); } } @@ -334,63 +333,23 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) if ( ! ex ) continue; - ParseExtension(ex, true); + ParseExtension(ex, ocsp_extension, true); } - clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); BIO_free(bio); } -// This is a near copy from X509 -void file_analysis::OCSP::ParseExtension(X509_EXTENSION* ex, bool global) +void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { - char name[256]; - char oid[256]; - - ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); - const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); - - OBJ_obj2txt(name, 255, ext_asn, 0); - OBJ_obj2txt(oid, 255, ext_asn, 1); - - int critical = 0; - if ( X509_EXTENSION_get_critical(ex) != 0 ) - critical = 1; - - BIO *bio = BIO_new(BIO_s_mem()); - if( ! X509V3_EXT_print(bio, ex, 0, 0)) - M_ASN1_OCTET_STRING_print(bio,ex->value); - - StringVal* ext_val = X509::GetExtensionFromBIO(bio); - - if ( ! ext_val ) - ext_val = new StringVal(0, ""); - - RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); - pX509Ext->Assign(0, new StringVal(name)); - - if ( short_name and strlen(short_name) > 0 ) - pX509Ext->Assign(1, new StringVal(short_name)); - - pX509Ext->Assign(2, new StringVal(oid)); - pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); - pX509Ext->Assign(4, ext_val); - - // send off generic extension event - // - // and then look if we have a specialized event for the extension we just - // parsed. And if we have it, we send the specialized event on top of the - // generic event that we just had. I know, that is... kind of not nice, - // but I am not sure if there is a better way to do it... - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(pX509Ext); - vl->append(new Val(global ? 1 : 0, TYPE_BOOL)); - - mgr.QueueEvent(ocsp_extension, vl); +#ifdef NID_ct_cert_scts + if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) +#else + if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) +#endif + ParseSignedCertificateTimestamps(ex); } OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index f3560ecea4..d1d15dd14f 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -8,20 +8,19 @@ #include "Val.h" #include "../File.h" #include "Analyzer.h" +#include "X509Common.h" #include -#include -#include namespace file_analysis { class OCSP_RESPVal; -class OCSP : public file_analysis::Analyzer { +class OCSP : public file_analysis::X509Common { public: - virtual bool DeliverStream(const u_char* data, uint64 len); - virtual bool Undelivered(uint64 offset, uint64 len); - virtual bool EndOfFile(); + bool DeliverStream(const u_char* data, uint64 len) override; + bool Undelivered(uint64 offset, uint64 len) override; + bool EndOfFile() override; static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file); static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file); @@ -32,7 +31,7 @@ protected: private: void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0); - void ParseExtension(X509_EXTENSION*, bool global); + void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; std::string ocsp_data; bool request = false; // true if ocsp request, false if reply diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 4a2a9cc5c2..f9ec91c9d1 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -4,7 +4,6 @@ #include "X509.h" #include "Event.h" -#include "x509-extension_pac.h" #include "events.bif.h" #include "types.bif.h" @@ -17,14 +16,12 @@ #include #include -#include "Asn1Time.h" - using namespace file_analysis; IMPLEMENT_SERIAL(X509Val, SER_X509_VAL); file_analysis::X509::X509(RecordVal* args, file_analysis::File* file) - : file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file) + : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file) { cert_data.clear(); } @@ -75,7 +72,7 @@ bool file_analysis::X509::EndOfFile() if ( ! ex ) continue; - ParseExtension(ex); + ParseExtension(ex, x509_extension, false); } // X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted @@ -208,152 +205,6 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* return pX509Cert; } -StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio) - { - BIO_flush(bio); - ERR_clear_error(); - int length = BIO_pending(bio); - - if ( ERR_peek_error() != 0 ) - { - char tmp[120]; - ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp)); - reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp)); - BIO_free_all(bio); - return 0; - } - - if ( length == 0 ) - { - BIO_free_all(bio); - return new StringVal(""); - } - - char* buffer = (char*) malloc(length); - - if ( ! buffer ) - { - // Just emit an error here and try to continue instead of aborting - // because it's unclear the length value is very reliable. - reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length); - BIO_free_all(bio); - return 0; - } - - BIO_read(bio, (void*) buffer, length); - StringVal* ext_val = new StringVal(length, buffer); - - free(buffer); - BIO_free_all(bio); - - return ext_val; - } - -// this is nearly replicated in the OCSP analyzer -void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) - { - char name[256]; - char oid[256]; - - ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); - const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); - - OBJ_obj2txt(name, 255, ext_asn, 0); - OBJ_obj2txt(oid, 255, ext_asn, 1); - - int critical = 0; - if ( X509_EXTENSION_get_critical(ex) != 0 ) - critical = 1; - - BIO *bio = BIO_new(BIO_s_mem()); - if( ! X509V3_EXT_print(bio, ex, 0, 0)) - M_ASN1_OCTET_STRING_print(bio,ex->value); - - StringVal* ext_val = GetExtensionFromBIO(bio); - - if ( ! ext_val ) - ext_val = new StringVal(0, ""); - - RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); - pX509Ext->Assign(0, new StringVal(name)); - - if ( short_name and strlen(short_name) > 0 ) - pX509Ext->Assign(1, new StringVal(short_name)); - - pX509Ext->Assign(2, new StringVal(oid)); - pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); - pX509Ext->Assign(4, ext_val); - - // send off generic extension event - // - // and then look if we have a specialized event for the extension we just - // parsed. And if we have it, we send the specialized event on top of the - // generic event that we just had. I know, that is... kind of not nice, - // but I am not sure if there is a better way to do it... - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(pX509Ext); - - mgr.QueueEvent(x509_extension, vl); - - // look if we have a specialized handler for this event... - if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) - ParseBasicConstraints(ex); - - else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) - ParseSAN(ex); - -#ifdef NID_ct_cert_scts - else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) -#else - else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) -#endif - ParseSignedCertificateTimestamps(ex); - } - -void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) - { - // Ok, signed certificate timestamps are a bit of an odd case out; we don't - // want to use the (basically nonexistant) OpenSSL functionality to parse them. - // Instead we have our own, self-written binpac parser to parse just them, - // which we will initialize here and tear down immediately again. - - ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); - // the octet string of the extension contains the octet string which in turn - // contains the SCT. Obviously. - - unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); - unsigned char* ext_val_second_pointer = ext_val_copy; - memcpy(ext_val_copy, ext_val->data, ext_val->length); - - ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); - if ( !inner ) - { - reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); - return; - } - - binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); - binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); - - try - { - interp->NewData(inner->data, inner->data + inner->length); - } - catch( const binpac::Exception& e ) - { - // throw a warning or sth - reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); - } - - OPENSSL_free(ext_val_second_pointer); - - interp->FlowEOF(); - - delete interp; - delete conn; - } - void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) { assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints); @@ -380,6 +231,23 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str())); } +void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) + { + // look if we have a specialized handler for this event... + if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) + ParseBasicConstraints(ex); + + else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) + ParseSAN(ex); + +#ifdef NID_ct_cert_scts + else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) +#else + else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) +#endif + ParseSignedCertificateTimestamps(ex); + } + void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) { assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name); diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 9bbc0827cd..325e8becac 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -6,21 +6,18 @@ #include #include "Val.h" -#include "../File.h" -#include "Analyzer.h" +#include "X509Common.h" -#include -#include namespace file_analysis { class X509Val; -class X509 : public file_analysis::Analyzer { +class X509 : public file_analysis::X509Common { public: - virtual bool DeliverStream(const u_char* data, uint64 len); - virtual bool Undelivered(uint64 offset, uint64 len); - virtual bool EndOfFile(); + bool DeliverStream(const u_char* data, uint64 len) override; + bool Undelivered(uint64 offset, uint64 len) override; + bool EndOfFile() override; /** * Converts an X509 certificate into a \c X509::Certificate record @@ -40,25 +37,13 @@ public: static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return new X509(args, file); } - /** - * Retrieve an X509 extension value from an OpenSSL BIO to which it was - * written. - * - * @param bio the OpenSSL BIO to read. It will be freed by the function, - * including when an error occurs. - * - * @return The X509 extension value. - */ - static StringVal* GetExtensionFromBIO(BIO* bio); - protected: X509(RecordVal* args, File* file); private: - void ParseExtension(X509_EXTENSION* ex); void ParseBasicConstraints(X509_EXTENSION* ex); void ParseSAN(X509_EXTENSION* ex); - void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); + void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; std::string cert_data; diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc new file mode 100644 index 0000000000..367b7e562a --- /dev/null +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -0,0 +1,315 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "X509Common.h" +#include "x509-extension_pac.h" + +#include "events.bif.h" +#include "ocsp_events.bif.h" +#include "types.bif.h" + +#include +#include +#include +#include +#include + +using namespace file_analysis; + +X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file) + : file_analysis::Analyzer(arg_tag, arg_args, arg_file) + { + } + +double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) + { + const char *fid = arg_fid ? arg_fid : ""; + time_t lResult = 0; + + char lBuffer[26]; + char* pBuffer = lBuffer; + + const char *pString = (const char *) atime->data; + unsigned int remaining = atime->length; + + if ( atime->type == V_ASN1_UTCTIME ) + { + if ( remaining < 11 || remaining > 17 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); + return 0; + } + + if ( pString[remaining-1] != 'Z' ) + { + // not valid according to RFC 2459 4.1.2.5.1 + reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); + return 0; + } + + // year is first two digits in YY format. Buffer expects YYYY format. + if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 + { + *(pBuffer++) = '2'; + *(pBuffer++) = '0'; + } + else + { + *(pBuffer++) = '1'; + *(pBuffer++) = '9'; + } + + memcpy(pBuffer, pString, 10); + pBuffer += 10; + pString += 10; + remaining -= 10; + } + else if ( atime->type == V_ASN1_GENERALIZEDTIME ) + { + // generalized time. We apparently ignore the YYYYMMDDHH case + // for now and assume we always have minutes and seconds. + // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 + + if ( remaining < 12 || remaining > 23 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); + return 0; + } + + memcpy(pBuffer, pString, 12); + pBuffer += 12; + pString += 12; + remaining -= 12; + } + else + { + reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); + return 0; + } + + if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) + { + *(pBuffer++) = '0'; + *(pBuffer++) = '0'; + } + + else if ( remaining >= 2 ) + { + *(pBuffer++) = *(pString++); + *(pBuffer++) = *(pString++); + + remaining -= 2; + + // Skip any fractional seconds... + if ( (remaining > 0) && (*pString == '.') ) + { + pString++; + remaining--; + + while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) + { + pString++; + remaining--; + } + } + } + + else + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); + return 0; + } + + *(pBuffer++) = 'Z'; + *(pBuffer++) = '\0'; + + time_t lSecondsFromUTC; + + if ( remaining == 0 || *pString == 'Z' ) + lSecondsFromUTC = 0; + else + { + if ( remaining < 5 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); + return 0; + } + + if ((*pString != '+') && (*pString != '-')) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); + return 0; + } + + lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; + lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); + + if (*pString == '-') + lSecondsFromUTC = -lSecondsFromUTC; + } + + tm lTime; + lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); + lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); + lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); + lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); + lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; + lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); + + if ( lTime.tm_year > 1900) + lTime.tm_year -= 1900; + + lTime.tm_wday = 0; + lTime.tm_yday = 0; + lTime.tm_isdst = 0; // No DST adjustment requested + + lResult = mktime(&lTime); + + if ( lResult ) + { + if ( lTime.tm_isdst != 0 ) + lResult -= 3600; // mktime may adjust for DST (OS dependent) + + lResult += lSecondsFromUTC; + } + + else + lResult = 0; + + return lResult; +} + +void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) + { + // Ok, signed certificate timestamps are a bit of an odd case out; we don't + // want to use the (basically nonexistant) OpenSSL functionality to parse them. + // Instead we have our own, self-written binpac parser to parse just them, + // which we will initialize here and tear down immediately again. + + ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); + // the octet string of the extension contains the octet string which in turn + // contains the SCT. Obviously. + + unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); + unsigned char* ext_val_second_pointer = ext_val_copy; + memcpy(ext_val_copy, ext_val->data, ext_val->length); + + ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); + if ( !inner ) + { + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); + return; + } + + binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); + binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); + + try + { + interp->NewData(inner->data, inner->data + inner->length); + } + catch( const binpac::Exception& e ) + { + // throw a warning or sth + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); + } + + OPENSSL_free(ext_val_second_pointer); + + interp->FlowEOF(); + + delete interp; + delete conn; + } + +void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global) + { + char name[256]; + char oid[256]; + + ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); + const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); + + OBJ_obj2txt(name, 255, ext_asn, 0); + OBJ_obj2txt(oid, 255, ext_asn, 1); + + int critical = 0; + if ( X509_EXTENSION_get_critical(ex) != 0 ) + critical = 1; + + BIO *bio = BIO_new(BIO_s_mem()); + if( ! X509V3_EXT_print(bio, ex, 0, 0)) + M_ASN1_OCTET_STRING_print(bio,ex->value); + + StringVal* ext_val = GetExtensionFromBIO(bio); + + if ( ! ext_val ) + ext_val = new StringVal(0, ""); + + RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); + pX509Ext->Assign(0, new StringVal(name)); + + if ( short_name and strlen(short_name) > 0 ) + pX509Ext->Assign(1, new StringVal(short_name)); + + pX509Ext->Assign(2, new StringVal(oid)); + pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); + pX509Ext->Assign(4, ext_val); + + // send off generic extension event + // + // and then look if we have a specialized event for the extension we just + // parsed. And if we have it, we send the specialized event on top of the + // generic event that we just had. I know, that is... kind of not nice, + // but I am not sure if there is a better way to do it... + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(pX509Ext); + if ( h == ocsp_extension ) + vl->append(new Val(global ? 1 : 0, TYPE_BOOL)); + + mgr.QueueEvent(h, vl); + + // let individual analyzers parse more. + ParseExtensionsSpecific(ex, global, ext_asn, oid); + } + +StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio) + { + BIO_flush(bio); + ERR_clear_error(); + int length = BIO_pending(bio); + + if ( ERR_peek_error() != 0 ) + { + char tmp[120]; + ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp)); + reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp)); + BIO_free_all(bio); + return 0; + } + + if ( length == 0 ) + { + BIO_free_all(bio); + return new StringVal(""); + } + + char* buffer = (char*) malloc(length); + + if ( ! buffer ) + { + // Just emit an error here and try to continue instead of aborting + // because it's unclear the length value is very reliable. + reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length); + BIO_free_all(bio); + return 0; + } + + BIO_read(bio, (void*) buffer, length); + StringVal* ext_val = new StringVal(length, buffer); + + free(buffer); + BIO_free_all(bio); + + return ext_val; + } diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h new file mode 100644 index 0000000000..1e1a9b94ee --- /dev/null +++ b/src/file_analysis/analyzer/x509/X509Common.h @@ -0,0 +1,44 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +// Common base class for the X509 and OCSP analyzer, which share a fair amount of +// code + +#ifndef FILE_ANALYSIS_X509_COMMON +#define FILE_ANALYSIS_X509_COMMON + +#include "../File.h" +#include "Analyzer.h" + +#include +#include + +namespace file_analysis { + +class X509Common : public file_analysis::Analyzer { +public: + virtual ~X509Common() {}; + + /** + * Retrieve an X509 extension value from an OpenSSL BIO to which it was + * written. + * + * @param bio the OpenSSL BIO to read. It will be freed by the function, + * including when an error occurs. + * + * @return The X509 extension value. + */ + static StringVal* GetExtensionFromBIO(BIO* bio); + + static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter); + +protected: + X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file); + + void ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global); + void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); + virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0; +}; + +} + +#endif /* FILE_ANALYSIS_X509_COMMON */ diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index 6e4df4393f..f8084fa864 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -73,4 +73,4 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); +event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index 56ca27d909..e77a82307a 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -35,7 +35,7 @@ refine connection MockConnection += { function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ - BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), + BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), bro_analyzer()->GetFile()->GetVal()->Ref(), version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 63be26448f..5203bda7ee 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) { print version, timestamp, hash_algorithm, signature_algorithm; } From c431d14eed69ebec424f95927e83779bad795a83 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 16:01:13 -0800 Subject: [PATCH 160/288] OCSP: re-enable logging, fix tests, fix x509 issue Re-enable logging, now in policy because it probably is interesting to no-one. We also only log ocsp replies. Fix all tests. Fix an issue where ocsp replies were added to the x.509 certificate list. --- scripts/base/files/x509/main.bro | 6 +- scripts/base/files/x509/ocsp.bro | 515 ------------------ scripts/base/protocols/ssl/files.bro | 18 +- scripts/policy/files/x509/log-ocsp.bro | 54 ++ .../.stdout | 3 + .../ocsp.log | 10 +- .../.stdout | 2 + .../ocsp.log | 10 - .../.stdout | 5 + .../ocsp.log | 10 +- .../.stdout | 1 - .../.stdout | 3 + .../ocsp.log | 10 +- .../.stdout | 20 + .../ocsp.log | 16 +- .../base/protocols/ssl/ocsp-http-get.test | 39 ++ .../base/protocols/ssl/ocsp-request-only.test | 40 +- .../protocols/ssl/ocsp-request-response.test | 39 ++ .../protocols/ssl/ocsp-response-cert.test | 15 - .../protocols/ssl/ocsp-response-only.test | 39 ++ .../base/protocols/ssl/ocsp-revoked.test | 39 ++ 21 files changed, 323 insertions(+), 571 deletions(-) delete mode 100644 scripts/base/files/x509/ocsp.bro create mode 100644 scripts/policy/files/x509/log-ocsp.bro create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout delete mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout delete mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout delete mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index 44ea83fc39..a7d3ca7a04 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -41,12 +41,15 @@ event bro_init() &priority=5 Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert"); # Always calculate hashes. They are not necessary for base scripts # but very useful for identification, and required for policy scripts Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert"); } redef record Files::Info += { @@ -57,9 +60,6 @@ redef record Files::Info += { event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 { - if ( ! f$info?$mime_type ) - f$info$mime_type = "application/pkix-cert"; - f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref]; } diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro deleted file mode 100644 index cb8c340c64..0000000000 --- a/scripts/base/files/x509/ocsp.bro +++ /dev/null @@ -1,515 +0,0 @@ -@load base/protocols/http -@load base/frameworks/files -@load base/utils/paths -@load base/utils/queue - -# Note - this needs some cleaning up and is currently not loaded by default. - -module OCSP; - -export { - ## add one more argument to tell ocsp response or request - redef record Files::AnalyzerArgs += { - ocsp_type: string &optional; - }; - - ## ocsp logging - redef enum Log::ID += { LOG }; - - ## type for pending ocsp request - type PendingQueue: table[OCSP::CertId] of Queue::Queue; - - ## NOTE: one file could contain several requests - ## one ocsp request record - type Info_req: record { - ## time for the request - ts: time; - ## file id for this request or - ## hash of the GET url if it's GET request - id: string &log &optional; - ## connection id - cid: conn_id &optional; - ## connection uid - cuid: string &optional; - ## version - version: count &log &optional; - ## requestor name - requestorName: string &log &optional; - - ## NOTE: the above are for one file which may contain - ## several ocsp requests - - ## one OCSP request may contain several OCSP requests - ## with different cert id; this is the index of the - ## OCSP request with cert_id in the big OCSP request - index: count &log &optional; - ## request cert id - certId: OCSP::CertId &optional; - ## HTTP method - method: string &optional; - }; - - ## NOTE: one file could contain several response - ## one ocsp response record - type Info_resp: record { - ## time for the response - ts: time; - ## file id for this response - id: string &log; - ## connection id - cid: conn_id &optional; - ## connection uid - cuid: string &optional; - ## responseStatus (different from cert status?) - responseStatus: string &log &optional; - ## responseType - responseType: string &log &optional; - ## version - version: count &log &optional; - ## responderID - responderID: string &log &optional; - ## producedAt - producedAt: time &log &optional; - ## certificates - certs: vector of opaque of x509 &optional; - - ## NOTE: the following are specific to one cert id - ## the above are for one file which may contain - ## several responses - - ## one OCSP response may contain several OCSP responses - ## with different cert id; this is the index of the - ## OCSP response with cert_id in the big OCSP response - index: count &log &optional; - ##cert id - certId: OCSP::CertId &optional; - ## certStatus (this is the response to look at) - certStatus: string &log &optional; - ## thisUpdate - thisUpdate: time &log &optional; - ## nextUpdate - nextUpdate: time &log &optional; - }; - - type Info: record { - ## timestamp for request if a corresponding request is present - ## OR timestamp for response if a corresponding request is not found - ts: time &log; - - ## connection id - cid: conn_id &log; - - ## connection uid - cuid: string &log; - - ## cert id - certId: OCSP::CertId &log &optional; - - ## request - req: Info_req &log &optional; - - ## response timestamp - resp_ts: time &log &optional; - - ## response - resp: Info_resp &log &optional; - - ## HTTP method - method: string &log &optional; - - ## HTTP record - http: HTTP::Info &optional; - }; - - ## Event for accessing logged OCSP records. - global log_ocsp: event(rec: Info); - - global get_uri_prefix: function(s: string): string; -} - -redef record HTTP::Info += { - # there should be one request and response but use Queue here - # just in case - ocsp_requests: PendingQueue &optional; - ocsp_responses: PendingQueue &optional; - - current_content_type: string &optional &default=""; - original_uri: string &optional; - - # flag for checking get uri - checked_get: bool &optional &default=F; - - # uri prefix: this the GET url without ocsp request - uri_prefix: string &optional; - }; - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - c$http$original_uri = original_URI; - } - -event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) - { - c$http$current_content_type = to_lower(ty + "/" + subty); - } - -function check_ocsp_file(f: fa_file, meta: fa_metadata) - { - if ( f$source != "HTTP" || ! f?$http ) - return; - - # call OCSP file analyzer - if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request") - { - Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]); - } - else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response") - { - Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]); - } - } - -event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5 - { - if (f$source == "HTTP") - check_ocsp_file(f, meta); - } - -function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) - { - if ( http?$method ) - req_rec$method = http$method; - } - -function update_request_info(rec: Info_req, req: OCSP::Request) - { - if ( req?$version ) - rec$version = req$version; - - if ( req?$requestorName ) - rec$requestorName = req$requestorName; - } - -function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId - { - local cert_id: OCSP::CertId = []; - if ( one_req?$hashAlgorithm ) - cert_id$hashAlgorithm = one_req$hashAlgorithm; - - if ( one_req?$issuerNameHash ) - cert_id$issuerNameHash = one_req$issuerNameHash; - - if ( one_req?$issuerKeyHash ) - cert_id$issuerKeyHash = one_req$issuerKeyHash; - - if ( one_req?$serialNumber ) - cert_id$serialNumber = one_req$serialNumber; - - return cert_id; - } - -function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) - { - local index: count = 0; - if ( req?$requestList && |req$requestList| > 0 ) - { - index += 1; - for (x in req$requestList) - { - local one_req = req$requestList[x]; - local cert_id: OCSP::CertId = cert_id_from_request(one_req); - local req_rec: OCSP::Info_req = [$ts = req_ts, - $certId = cert_id, - $cid = http$id, - $cuid = http$uid, - $index = index, - $id = req_id]; - update_request_info(req_rec, req); - - if ( ! http?$ocsp_requests ) - http$ocsp_requests = table(); - - if ( cert_id !in http$ocsp_requests ) - http$ocsp_requests[cert_id] = Queue::init(); - - update_http_info(http, req_rec); - Queue::put(http$ocsp_requests[cert_id], req_rec); - } - } - else if ( req?$version ) - { - # it's ocsp request but has no request content - # this is weird but log it anyway - local req_rec_empty: OCSP::Info_req = [$ts = req_ts, - $cid = http$id, - $cuid = http$uid, - $id = req_id]; - update_request_info(req_rec_empty, req); - update_http_info(http, req_rec_empty); - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); - } - } - -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 - { - if ( ! f?$http ) - return; - enq_request(f$http, req, f$id, network_time()); - } - -function get_first_slash(s: string): string - { - local s_len = |s|; - if (s[0] == "/") - return "/" + get_first_slash(s[1:s_len]); - else - return ""; - } - -function remove_first_slash(s: string): string - { - local s_len = |s|; - if (s[0] == "/") - return remove_first_slash(s[1:s_len]); - else - return s; - } - -function get_uri_prefix(s: string): string - { - local uri_prefix = get_first_slash(s); - local w = split_string(s[|uri_prefix|:], /\//); - local i = 0; - while ( i < (|w| - 1) ) - { - uri_prefix += w[i] + "/"; - i += 1; - } - return uri_prefix; - } - -function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request - { - local parsed_req: OCSP::Request; - if ( ! http?$original_uri ) - return parsed_req;; - local uri_prefix: string = get_uri_prefix(http$original_uri); - http$uri_prefix = uri_prefix; - local ocsp_req_str: string = http$uri[|uri_prefix|:]; - parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); - if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) - { - # normal parse fails, bug url, naively try each part - local w = split_string(http$original_uri, /\//); - local s = ""; - for ( i in w ) - { - s += w[i] + "/"; - ocsp_req_str = http$uri[|s|:]; - parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); - if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) - { - http$uri_prefix = s; - break; - } - } - } - return parsed_req; - } - -function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp) - { - if ( single_resp?$certStatus ) - rec$certStatus = single_resp$certStatus; - - if ( single_resp?$thisUpdate ) - rec$thisUpdate = single_resp$thisUpdate; - - if ( single_resp?$nextUpdate ) - rec$nextUpdate = single_resp$nextUpdate; - } - -function update_response_info(rec: Info_resp, resp: OCSP::Response) - { - if ( resp?$responseStatus ) - rec$responseStatus = resp$responseStatus; - - if ( resp?$responseType ) - rec$responseType = resp$responseType; - - if ( resp?$version ) - rec$version = resp$version; - - if ( resp?$responderID ) - rec$responderID = resp$responderID; - - if ( resp?$producedAt ) - rec$producedAt = resp$producedAt; - - if ( resp?$certs ) - rec$certs = resp$certs; - } - -function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp) - { - update_response_info(rec, resp); - update_response_info_single(rec, single_resp); - } - -function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId - { - local cert_id: OCSP::CertId = []; - if ( single_resp?$hashAlgorithm ) - cert_id$hashAlgorithm = single_resp$hashAlgorithm; - - if ( single_resp?$issuerNameHash ) - cert_id$issuerNameHash = single_resp$issuerNameHash; - - if ( single_resp?$issuerKeyHash ) - cert_id$issuerKeyHash = single_resp$issuerKeyHash; - - if ( single_resp?$serialNumber ) - cert_id$serialNumber = single_resp$serialNumber; - - return cert_id; - } - -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 - { - if ( ! f?$http ) - return; - - if ( resp?$responses && |resp$responses| > 0 ) - { - local index: count = 0; - for (x in resp$responses) - { - index += 1; - local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = cert_id_from_response(single_resp); - local resp_rec: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid, - $index = index, - $certId = cert_id]; - update_response_info_with_single(resp_rec, resp, single_resp); - - if ( ! f$http?$ocsp_responses ) - f$http$ocsp_responses = table(); - - if ( cert_id !in f$http$ocsp_responses ) - f$http$ocsp_responses[cert_id] = Queue::init(); - - Queue::put(f$http$ocsp_responses[cert_id], resp_rec); - } - } - else - { - # no response content? this is weird but log it anyway - local resp_rec_empty: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid]; - update_response_info(resp_rec_empty, resp); - local info_rec: Info = [$ts = resp_rec_empty$ts, - $resp_ts = resp_rec_empty$ts, - $resp = resp_rec_empty, - $cid = f$http$id, - $cuid = f$http$uid, - $http = f$http]; - if ( f$http?$method ) - info_rec$method = f$http$method; - Log::write(LOG, info_rec); - } - - # check if there is a OCSP GET request - if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get ) - { - f$http$checked_get = T; - local req_get: OCSP::Request = check_ocsp_request_uri(f$http); - enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts); - } - } - -function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info) - { - local reqs: vector of Info_req; - Queue::get_vector(q, reqs); - for ( i in reqs ) - { - local info_rec: Info = [$ts = reqs[i]$ts, - $certId = reqs[i]$certId, - $req = reqs[i], - $cid = reqs[i]$cid, - $cuid = reqs[i]$cuid, - $http = http]; - if ( reqs[i]?$method ) - info_rec$method = reqs[i]$method; - Log::write(LOG, info_rec); - } - } - -function log_unmatched_reqs(http: HTTP::Info) - { - local reqs: PendingQueue = http$ocsp_requests; - for ( cert_id in reqs ) - log_unmatched_reqs_queue(reqs[cert_id], http); - clear_table(reqs); - } - -function start_log_ocsp(http: HTTP::Info) - { - if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) - return; - - if ( ! http?$ocsp_responses ) - { - log_unmatched_reqs(http); - return; - } - - for ( cert_id in http$ocsp_responses ) - { - while ( Queue::len(http$ocsp_responses[cert_id]) != 0 ) - { - # have unmatched responses - local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]); - local info_rec: Info = [$ts = resp_rec$ts, - $certId = resp_rec$certId, - $resp_ts = resp_rec$ts, - $resp = resp_rec, - $cid = http$id, - $cuid = http$uid, - $http = http]; - - if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) - { - # find a match - local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]); - info_rec$req = req_rec; - info_rec$ts = req_rec$ts; - if (Queue::len(http$ocsp_requests[cert_id]) == 0) - delete http$ocsp_requests[cert_id]; - } - if ( http?$method ) - info_rec$method = http$method; - Log::write(LOG, info_rec); - } - if ( Queue::len(http$ocsp_responses[cert_id]) == 0 ) - delete http$ocsp_responses[cert_id]; - } - if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) - log_unmatched_reqs(http); - } - -# log OCSP information -event HTTP::log_http(rec: HTTP::Info) - { - start_log_ocsp(rec); - } - -event bro_init() &priority=5 - { - Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); - } diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index 8a1380a270..b440927381 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -91,11 +91,23 @@ event bro_init() &priority=5 $describe = SSL::describe_file]); } -event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 +event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 { - if ( ! c?$ssl ) + if ( |f$conns| != 1 ) return; + if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert" + || f$info$mime_type == "application/pkix-cert" ) ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + if ( ! c$ssl?$cert_chain ) { c$ssl$cert_chain = vector(); @@ -104,7 +116,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$ssl$client_cert_chain_fuids = string_vec(); } - if ( is_orig ) + if ( f$is_orig ) { c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info; c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id; diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro new file mode 100644 index 0000000000..f9e72dd832 --- /dev/null +++ b/scripts/policy/files/x509/log-ocsp.bro @@ -0,0 +1,54 @@ +##! Enable basic OCSP logging. + +# This is in policy because probably just about no one is interested +# in logging OCSP responses. + +module OCSP; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Current timestamp. + ts: time &log; + + ## File id of the ocsp reply. + id: string &log; + + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; + certStatus: string &log; + revoketime: time &log &optional; + revokereason: string &log &optional; + thisUpdate: time &log; + nextUpdate: time &log &optional; + }; + + global log_ocsp: event(rec: Info); +} + +event bro_init() + { + Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash, + $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus, + $thisUpdate=thisUpdate); + + if ( revokereason != "" ) + wr$revokereason = revokereason; + + if ( time_to_double(revoketime) != 0 ) + wr$revoketime = revoketime; + + if ( time_to_double(nextUpdate) != 0 ) + wr$nextUpdate = nextUpdate; + + Log::write(LOG, wr); + } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout new file mode 100644 index 0000000000..4678baf15d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout @@ -0,0 +1,3 @@ +ocsp_response_status, successful +ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0 +ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index 97a1eba12e..bdb8384676 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-23-43 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CHhAvVGS1DHFjwGM9 sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 1436577056.000000 1 good 1436577056.000000 1437181856.000000 GET -#close 2017-02-09-00-23-43 +#open 2017-02-10-23-35-49 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F good - - 1436577056.000000 1437181856.000000 +#close 2017-02-10-23-35-50 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout new file mode 100644 index 0000000000..ca94887c05 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout @@ -0,0 +1,2 @@ +request, 0, +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log deleted file mode 100644 index 366671298b..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ocsp -#open 2017-02-09-00-24-29 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST -#close 2017-02-09-00-24-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout new file mode 100644 index 0000000000..3996bbd84f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout @@ -0,0 +1,5 @@ +request, 0, +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE +ocsp_response_status, successful +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index dc1f8f6657..3707e84c48 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-24-32 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 POST -#close 2017-02-09-00-24-32 +#open 2017-02-11-00-00-41 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 +#close 2017-02-11-00-00-41 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout deleted file mode 100644 index b6a95f4f0c..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout +++ /dev/null @@ -1 +0,0 @@ -[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout new file mode 100644 index 0000000000..230e80b4cd --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout @@ -0,0 +1,3 @@ +ocsp_response_status, successful +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index eab0e0579b..e897453b5c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-24-34 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 - -#close 2017-02-09-00-24-34 +#open 2017-02-11-00-00-52 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 +#close 2017-02-11-00-00-52 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout new file mode 100644 index 0000000000..545f761acc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout @@ -0,0 +1,20 @@ +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index f3889662ee..58b226320d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-24-36 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CHhAvVGS1DHFjwGM9 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436286514.000000 1 revoked 1436286514.000000 1443489162.000000 POST -1438374032.650255 192.168.6.109 41813 23.5.251.27 80 ClEkJM2Vm5giqnMf4h sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436304214.000000 1 revoked 1436304214.000000 1443597239.000000 POST -1438374032.759133 192.168.6.109 41814 23.5.251.27 80 C4J4Th3PJpwUYZZ6gc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436238224.000000 1 revoked 1436238224.000000 1443473859.000000 POST -1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CtPZjS20MLrsMUOJi2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436321024.000000 1 revoked 1436321024.000000 1443459307.000000 POST -#close 2017-02-09-00-24-36 +#open 2017-02-11-00-00-56 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000 +1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000 +1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000 +1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000 +#close 2017-02-11-00-00-56 diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test index 10ccc80c63..ff48772b6a 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test index 69e1023479..0176716553 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test @@ -1,4 +1,42 @@ # This tests a OCSP request missing response # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT -# @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test index f9173292dc..3adfab9aa2 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test deleted file mode 100644 index 5ed2bf3253..0000000000 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test +++ /dev/null @@ -1,15 +0,0 @@ -# This tests OCSP response containing a certificate - -# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT -# @TEST-EXEC: btest-diff .stdout - -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) -{ -if (resp?$certs) - { - for (x in resp$certs) - { - print x509_parse(resp$certs[x]); - } - } -} \ No newline at end of file diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test index 539a7bf1d6..f99a71802c 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index 1125484cdf..ae39640f3f 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } From a5e9a535a5d2095e3409b238a8dc2299da5cd508 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 31 Jan 2017 21:51:31 -0800 Subject: [PATCH 161/288] Changing semantics of Broker's remote logging to match old communication framework. Broker had changed the semantics of remote logging: it sent over the original Bro record containing the values to be logged, which on the receiving side would then pass through the logging framework normally, including triggering filters and events. The old communication system however special-cases logs: it sends already processed log entries, just as they go into the log files, and without any receiver-side filtering etc. This more efficient as it short-cuts the processing path, and also avoids the more expensive Val serialization. It also lets the sender determine the specifics of what gets logged (and how). This commit changes Broker over to now use the same semantics as the old communication system. TODOs: - The new Broker code doesn't have consistent #ifdefs yet. - Right now, when a new log receiver connects, all existing logs are broadcasted out again to all current clients. That doesn't so any harm, but is unncessary. Need to add a way to send the existing logs to just the new client. --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/btest | 2 +- aux/plugins | 2 +- src/RemoteSerializer.cc | 5 +- src/broker/Data.cc | 430 ++++++++++++++++++ src/broker/Data.h | 30 ++ src/broker/Manager.cc | 357 +++++++++++---- src/broker/Manager.h | 34 +- src/logging/Manager.cc | 65 ++- src/logging/Manager.h | 50 +- src/logging/WriterBackend.cc | 57 +++ src/logging/WriterBackend.h | 11 +- src/logging/WriterFrontend.cc | 27 +- src/logging/WriterFrontend.h | 8 +- .../Baseline/broker.remote_log/recv.recv.out | 6 - .../broker.remote_log_types/recv.recv.out | 0 .../broker.remote_log_types/recv.test.log | 10 + .../broker.remote_log_types/send.send.out | 1 + .../broker.remote_log_types/send.test.log | 10 + testing/btest/broker/remote_log.test | 89 ++-- testing/btest/broker/remote_log_types.test | 133 ++++++ 25 files changed, 1178 insertions(+), 159 deletions(-) create mode 100644 testing/btest/Baseline/broker.remote_log_types/recv.recv.out create mode 100644 testing/btest/Baseline/broker.remote_log_types/recv.test.log create mode 100644 testing/btest/Baseline/broker.remote_log_types/send.send.out create mode 100644 testing/btest/Baseline/broker.remote_log_types/send.test.log create mode 100644 testing/btest/broker/remote_log_types.test diff --git a/aux/binpac b/aux/binpac index 0f1ecfa972..a0990e61ad 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd +Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3 diff --git a/aux/bro-aux b/aux/bro-aux index b1e75f6a21..7660b5f4c5 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3 +Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93 diff --git a/aux/broccoli b/aux/broccoli index ed52e3414b..765eab50f7 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441 +Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67 diff --git a/aux/broctl b/aux/broctl index 73dbc79ac2..f6d451520e 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5 +Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66 diff --git a/aux/broker b/aux/broker index 23def70c44..68a36ed814 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 23def70c44128d19138029615dd154359286e111 +Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da diff --git a/aux/btest b/aux/btest index 9d5c7bcac9..32e582514a 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 9d5c7bcac9b04710931bc8a42b545f0691561b2f +Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d diff --git a/aux/plugins b/aux/plugins index 2322840bcd..0a2f021527 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb +Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530 diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 4842f819b6..2adecfc89a 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -2730,8 +2730,7 @@ bool RemoteSerializer::ProcessLogCreateWriter() id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType()); writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType()); - if ( ! log_mgr->CreateWriter(id_val, writer_val, info, num_fields, fields, - true, false, true) ) + if ( ! log_mgr->CreateWriterForRemoteLog(id_val, writer_val, info, num_fields, fields) ) { delete_fields_up_to = num_fields; goto error; @@ -2803,7 +2802,7 @@ bool RemoteSerializer::ProcessLogWrite() id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType()); writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType()); - success = log_mgr->Write(id_val, writer_val, path, num_fields, vals); + success = log_mgr->WriteFromRemote(id_val, writer_val, path, num_fields, vals); Unref(id_val); Unref(writer_val); diff --git a/src/broker/Data.cc b/src/broker/Data.cc index bc4197a974..35d815b9e8 100644 --- a/src/broker/Data.cc +++ b/src/broker/Data.cc @@ -709,3 +709,433 @@ bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info) delete [] serial; return true; } + +static broker::util::optional threading_val_to_data_internal(TypeTag type, const threading::Value::_val& val) + { + switch ( type ) { + case TYPE_BOOL: + return {val.int_val != 0}; + + case TYPE_INT: + return {val.int_val}; + + case TYPE_COUNT: + case TYPE_COUNTER: + return {val.uint_val}; + + case TYPE_PORT: + return {broker::port(val.port_val.port, to_broker_port_proto(val.port_val.proto))}; + + case TYPE_ADDR: + { + IPAddr a; + + switch ( val.addr_val.family ) { + case IPv4: + a = IPAddr(val.addr_val.in.in4); + break; + + case IPv6: + a = IPAddr(val.addr_val.in.in6); + break; + + default: + reporter->InternalError("unsupported protocol family in threading_val_to_data"); + } + + in6_addr tmp; + a.CopyIPv6(&tmp); + return {broker::address(reinterpret_cast(&tmp), + broker::address::family::ipv6, + broker::address::byte_order::network)}; + } + + case TYPE_SUBNET: + { + IPAddr a; + int length; + + switch ( val.subnet_val.prefix.family ) { + case IPv4: + a = IPAddr(val.subnet_val.prefix.in.in4); + length = (val.subnet_val.length - 96); + break; + + case IPv6: + a = IPAddr(val.subnet_val.prefix.in.in6); + length = val.subnet_val.length; + break; + + default: + reporter->InternalError("unsupported protocol family in threading_val_to_data"); + } + + in6_addr tmp; + a.CopyIPv6(&tmp); + + auto s = broker::address(reinterpret_cast(&tmp), + broker::address::family::ipv6, + broker::address::byte_order::network); + fprintf(stderr, "%d\n", val.subnet_val.length); + return {broker::subnet(s, length)}; + } + + case TYPE_DOUBLE: + return {val.double_val}; + + case TYPE_TIME: + return {broker::time_point(val.double_val)}; + + case TYPE_INTERVAL: + return {broker::time_duration(val.double_val)}; + + case TYPE_ENUM: + return {broker::enum_value(std::string(val.string_val.data, val.string_val.length))}; + + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: + return {std::string(val.string_val.data, val.string_val.length)}; + + case TYPE_TABLE: + { + auto s = broker::set(); + + for ( int i = 0; i < val.set_val.size; ++i ) + { + auto c = bro_broker::threading_val_to_data(val.set_val.vals[i]); + + if ( ! c ) + return {}; + + s.emplace(*c); + } + + return {move(s)}; + } + + case TYPE_VECTOR: + { + auto s = broker::vector(); + + for ( int i = 0; i < val.vector_val.size; ++i ) + { + auto c = bro_broker::threading_val_to_data(val.vector_val.vals[i]); + + if ( ! c ) + return {}; + + s.emplace_back(*c); + } + + return {move(s)}; + } + + default: + reporter->InternalError("unsupported type %s in threading_val_to_data", + type_name(type)); + } + + return {}; + } + + +broker::util::optional bro_broker::threading_val_to_data(const threading::Value* v) + { + broker::util::optional d; + + if ( v->present ) + { + d = threading_val_to_data_internal(v->type, v->val); + + if ( ! d ) + return {}; + } + + auto type = broker::record::field(static_cast(v->type)); + auto present = broker::record::field(v->present); + auto data = (v->present) ? broker::record::field(*d) : broker::util::optional(); + + return {broker::record({move(type), move(present), move(data)})}; + }; + +struct threading_val_converter { + using result_type = bool; + + TypeTag type; + threading::Value::_val& val; + + result_type operator()(bool a) + { + if ( type == TYPE_BOOL ) + { + val.int_val = (a ? 1 : 0); + return true; + } + + return false; + } + + result_type operator()(uint64_t a) + { + if ( type == TYPE_COUNT || type == TYPE_COUNTER ) + { + val.uint_val = a; + return true; + } + + return false; + } + + result_type operator()(int64_t a) + { + if ( type == TYPE_INT ) + { + val.int_val = a; + return true; + } + + return false; + } + + result_type operator()(double a) + { + if ( type == TYPE_DOUBLE ) + { + val.double_val = a; + return true; + } + + return false; + } + + + result_type operator()(const std::string& a) + { + if ( type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC ) + { + auto n = a.size(); + val.string_val.length = n; + val.string_val.data = new char[n]; + memcpy(val.string_val.data, a.data(), n); + return true; + } + + return false; + } + + result_type operator()(const broker::address& a) + { + if ( type == TYPE_ADDR ) + { + auto bits = reinterpret_cast(&a.bytes()); + auto b = IPAddr(*bits); + + if ( a.is_v4() ) + { + val.addr_val.family = IPv4; + b.CopyIPv4(&val.addr_val.in.in4); + return true; + } + + if ( a.is_v6() ) + { + val.addr_val.family = IPv6; + b.CopyIPv6(&val.addr_val.in.in6); + return true; + } + } + + return false; + } + + result_type operator()(const broker::subnet& s) + { + if ( type == TYPE_SUBNET ) + { + auto bits = reinterpret_cast(&s.network().bytes()); + auto a = IPAddr(*bits); + + val.subnet_val.length = s.length(); + + if ( s.network().is_v4() ) + { + val.subnet_val.prefix.family = IPv4; + a.CopyIPv4(&val.subnet_val.prefix.in.in4); + val.subnet_val.length += 96; + return true; + } + + if ( s.network().is_v6() ) + { + val.subnet_val.prefix.family = IPv6; + a.CopyIPv6(&val.subnet_val.prefix.in.in6); + return true; + } + } + + return false; + } + + result_type operator()(const broker::port& a) + { + if ( type == TYPE_PORT ) + { + val.port_val.port = a.number(); + val.port_val.proto = bro_broker::to_bro_port_proto(a.type()); + return true; + } + + return false; + } + + result_type operator()(const broker::time_point& a) + { + if ( type == TYPE_TIME ) + { + val.double_val = a.value; + return true; + } + + return false; + } + + result_type operator()(const broker::time_duration& a) + { + if ( type == TYPE_INTERVAL ) + { + val.double_val = a.value; + return true; + } + + return false; + } + + result_type operator()(const broker::enum_value& a) + { + if ( type == TYPE_ENUM ) + { + auto n = a.name.size(); + val.string_val.length = n; + val.string_val.data = new char[n]; + memcpy(val.string_val.data, a.name.data(), n); + return true; + } + + return false; + } + + result_type operator()(const broker::set& a) + { + if ( type == TYPE_TABLE ) + { + val.set_val.size = a.size(); + val.set_val.vals = new threading::Value* [val.set_val.size]; + + auto p = val.set_val.vals; + + for ( auto& i : a ) + *p++ = bro_broker::data_to_threading_val(move(i)); + + return true; + } + + return false; + } + + result_type operator()(const broker::table& a) + { + return false; + } + + result_type operator()(const broker::vector& a) + { + if ( type == TYPE_VECTOR ) + { + val.vector_val.size = a.size(); + val.vector_val.vals = new threading::Value* [val.set_val.size]; + + auto p = val.set_val.vals; + + for ( auto& i : a ) + *p++ = bro_broker::data_to_threading_val(move(i)); + + return true; + } + + return false; + } + + result_type operator()(const broker::record& a) + { + return false; + } +}; + +threading::Value* bro_broker::data_to_threading_val(broker::data d) + { + auto r = broker::get(d); + + if ( ! r ) + return nullptr; + + auto type = broker::get(*r->get(0));; + auto present = broker::get(*r->get(1));; + auto data = *r->get(2); + + if ( ! (type && present) ) + return nullptr; + + auto tv = new threading::Value; + tv->type = static_cast(*type); + tv->present = *present; + + if ( present && ! broker::visit(threading_val_converter{tv->type, tv->val}, data) ) + { + delete tv; + return nullptr; + } + + return tv; + } + +broker::data bro_broker::threading_field_to_data(const threading::Field* f) + { + auto name = broker::record::field(f->name); + auto type = broker::record::field(static_cast(f->type)); + auto subtype = broker::record::field(static_cast(f->subtype)); + auto optional = broker::record::field(f->optional); + + broker::util::optional secondary; + + if ( f->secondary_name ) + secondary = {f->secondary_name}; + + return move(broker::record({name, secondary, type, subtype, optional})); + } + +threading::Field* bro_broker::data_to_threading_field(broker::data d) + { + auto r = broker::get(d); + + if ( ! r ) + return nullptr; + + auto name = broker::get(*r->get(0)); + auto secondary = r->get(1); + auto type = broker::get(*r->get(2)); + auto subtype = broker::get(*r->get(3)); + auto optional = broker::get(*r->get(4)); + + if ( ! (name && type && subtype && optional) ) + return nullptr; + + if ( secondary && ! broker::is(*secondary) ) + return nullptr; + + return new threading::Field(name->c_str(), + secondary ? broker::get(*secondary)->c_str() : nullptr, + static_cast(*type), + static_cast(*subtype), + *optional); + } diff --git a/src/broker/Data.h b/src/broker/Data.h index 0045ad58ad..9e0c8120de 100644 --- a/src/broker/Data.h +++ b/src/broker/Data.h @@ -61,6 +61,36 @@ broker::util::optional val_to_data(Val* v); */ Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false); +/** + * Convert a Bro threading::Value to a Broker data value. + * @param v a Bro threading::Value. + * @return a Broker data value if the Bro threading::Value could be converted to one. + */ +broker::util::optional threading_val_to_data(const threading::Value* v); + +/** + * Convert a Bro threading::Field to a Broker data value. + * @param v a Bro threading::Field. + * @return a Broker data value if the Bro threading::Field could be converted to one. + */ +broker::data threading_field_to_data(const threading::Field* f); + +/** + * Convert a Broker data value to a Bro threading::Value. + * @param d a Broker data value. + * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not + * possible. + */ +threading::Value* data_to_threading_val(broker::data d); + +/** + * Convert a Broker data value to a Bro threading::Value. + * @param d a Broker data value. + * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not + * possible. + */ +threading::Field* data_to_threading_field(broker::data d); + /** * A Bro value which wraps a Broker data value. */ diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 334b7f84f5..76040b129c 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -20,10 +20,17 @@ using namespace std; VectorType* bro_broker::Manager::vector_of_data_type; EnumType* bro_broker::Manager::log_id_type; +EnumType* bro_broker::Manager::writer_id_type; int bro_broker::Manager::send_flags_self_idx; int bro_broker::Manager::send_flags_peers_idx; int bro_broker::Manager::send_flags_unsolicited_idx; +struct unref_guard { + unref_guard(Val* v) : val(v) {} + ~unref_guard() { Unref(val); } + Val* val; +}; + bro_broker::Manager::Manager() : iosource::IOSource(), next_timestamp(-1) { @@ -83,6 +90,7 @@ bool bro_broker::Manager::Enable(Val* broker_endpoint_flags) send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited"); log_id_type = internal_type("Log::ID")->AsEnumType(); + writer_id_type = internal_type("Log::Writer")->AsEnumType(); bro_broker::opaque_of_data_type = new OpaqueType("Broker::Data"); bro_broker::opaque_of_set_iterator = new OpaqueType("Broker::SetIterator"); @@ -206,8 +214,9 @@ bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flag return true; } -bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info, - int flags) +bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, + int num_fields, const threading::Field* const * fields, int flags, + const string& peer) { if ( ! Enabled() ) return false; @@ -221,40 +230,82 @@ bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* i return false; } - broker::record column_data; + auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum()); - for ( auto i = 0u; i < static_cast(info->NumFields()); ++i ) + if ( ! writer_name ) { - if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) ) - continue; + reporter->Error("Failed to remotely log: writer %d doesn't have name", + writer->AsEnum()); + return false; + } - auto field_val = columns->LookupWithDefault(i); + auto writer_info = info.ToBroker(); - if ( ! field_val ) - { - column_data.fields.emplace_back(broker::record::field{}); - continue; - } + broker::vector fields_data; - auto opt_field_data = val_to_data(field_val); - Unref(field_val); + for ( auto i = 0; i < num_fields; ++i ) + { + auto field_data = threading_field_to_data(fields[i]); + fields_data.push_back(move(field_data)); + } - if ( ! opt_field_data ) + // TODO: If peer is given, send message to just that one destination. + + std::string topic = std::string("bro/log/") + stream_name; + auto bstream_name = broker::enum_value(move(stream_name)); + auto bwriter_name = broker::enum_value(move(writer_name)); + broker::message msg{move("create"), move(bstream_name), move(bwriter_name), move(writer_info), move(fields_data)}; + endpoint->send(move(topic), move(msg), flags); + + return true; + } + +bool bro_broker::Manager::Log(EnumVal* stream, EnumVal* writer, string path, int num_vals, const threading::Value* const * vals, int flags) + { + if ( ! Enabled() ) + return false; + + auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum()); + + if ( ! stream_name ) + { + reporter->Error("Failed to remotely log: stream %d doesn't have name", + stream->AsEnum()); + return false; + } + + auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum()); + + if ( ! writer_name ) + { + reporter->Error("Failed to remotely log: writer %d doesn't have name", + writer->AsEnum()); + return false; + } + + broker::vector vals_data; + + for ( auto i = 0; i < num_vals; ++i ) + { + auto field_data = threading_val_to_data(vals[i]); + + if ( ! field_data ) { reporter->Error("Failed to remotely log stream %s: " - "unsupported type '%s'", - stream_name, - type_name(info->FieldDecl(i)->type->Tag())); + "unsupported type for field #%d", + stream_name, i); return false; } - column_data.fields.emplace_back( - broker::record::field{move(*opt_field_data)}); + vals_data.push_back(move(*field_data)); } - broker::message msg{broker::enum_value{stream_name}, move(column_data)}; std::string topic = std::string("bro/log/") + stream_name; + auto bstream_name = broker::enum_value(move(stream_name)); + auto bwriter_name = broker::enum_value(move(writer_name)); + broker::message msg{move("write"), move(bstream_name), move(bwriter_name), move(path), move(vals_data)}; endpoint->send(move(topic), move(msg), flags); + return true; } @@ -639,6 +690,8 @@ void bro_broker::Manager::Process() { switch ( u.status ) { case broker::outgoing_connection_status::tag::established: + log_mgr->SendAllWritersTo(u.peer_name); + if ( Broker::outgoing_connection_established ) { val_list* vl = new val_list; @@ -684,6 +737,8 @@ void bro_broker::Manager::Process() { switch ( u.status ) { case broker::incoming_connection_status::tag::established: + log_mgr->SendAllWritersTo(u.peer_name); + if ( Broker::incoming_connection_established ) { val_list* vl = new val_list; @@ -809,12 +864,6 @@ void bro_broker::Manager::Process() } } - struct unref_guard { - unref_guard(Val* v) : val(v) {} - ~unref_guard() { Unref(val); } - Val* val; - }; - for ( auto& ls : log_subscriptions ) { auto log_messages = ls.second.q.want_pop(); @@ -826,59 +875,19 @@ void bro_broker::Manager::Process() for ( auto& lm : log_messages ) { - if ( lm.size() != 2 ) + if ( lm.size() < 1 ) { - reporter->Warning("got bad remote log size: %zd (expect 2)", - lm.size()); + reporter->Warning("got bad remote log message, no type field"); continue; } - if ( ! broker::get(lm[0]) ) - { - reporter->Warning("got remote log w/o stream id: %d", - static_cast(broker::which(lm[0]))); - continue; - } - - if ( ! broker::get(lm[1]) ) - { - reporter->Warning("got remote log w/o columns: %d", - static_cast(broker::which(lm[1]))); - continue; - } - - auto stream_id = data_to_val(move(lm[0]), log_id_type); - - if ( ! stream_id ) - { - reporter->Warning("failed to unpack remote log stream id"); - continue; - } - - unref_guard stream_id_unreffer{stream_id}; - auto columns_type = log_mgr->StreamColumns(stream_id->AsEnumVal()); - - if ( ! columns_type ) - { - reporter->Warning("got remote log for unknown stream: %s", - stream_id->Type()->AsEnumType()->Lookup( - stream_id->AsEnum())); - continue; - } - - auto columns = data_to_val(move(lm[1]), columns_type, true); - - if ( ! columns ) - { - reporter->Warning("failed to unpack remote log stream columns" - " for stream: %s", - stream_id->Type()->AsEnumType()->Lookup( - stream_id->AsEnum())); - continue; - } - - log_mgr->Write(stream_id->AsEnumVal(), columns->AsRecordVal()); - Unref(columns); + if ( lm[0] == "create" ) + ProcessCreateLog(std::move(lm)); + else if ( lm[0] == "write" ) + ProcessWriteLog(std::move(lm)); + else + reporter->Warning("got remote log w/o known type: %d", + static_cast(broker::which(lm[0]))); } } @@ -979,6 +988,202 @@ void bro_broker::Manager::Process() next_timestamp = -1; } +bool bro_broker::Manager::ProcessCreateLog(broker::message msg) + { + if ( msg.size() != 5 ) + { + reporter->Warning("got bad remote log create size: %zd (expected 5)", + msg.size()); + return false; + } + + unsigned int idx = 1; // Skip type at index 0. + + // Get stream ID. + + if ( ! broker::get(msg[idx]) ) + { + reporter->Warning("got remote log create w/o stream id: %d", + static_cast(broker::which(msg[idx]))); + return false; + } + + auto stream_id = data_to_val(move(msg[idx]), log_id_type); + + if ( ! stream_id ) + { + reporter->Warning("failed to unpack remote log stream id"); + return false; + } + + unref_guard stream_id_unreffer{stream_id}; + ++idx; + + // Get writer ID. + + if ( ! broker::get(msg[idx]) ) + { + reporter->Warning("got remote log w/o writer id: %d", + static_cast(broker::which(msg[idx]))); + return false; + } + + auto writer_id = data_to_val(move(msg[idx]), writer_id_type); + + if ( ! writer_id ) + { + reporter->Warning("failed to unpack remote log writer id"); + return false; + } + + unref_guard writer_id_unreffer{writer_id}; + ++idx; + + // Get writer info. + + if ( ! broker::get(msg[idx]) ) + { + reporter->Warning("got remote log create w/o writer info id: %d", + static_cast(broker::which(msg[idx]))); + return false; + } + + auto writer_info = std::unique_ptr(new logging::WriterBackend::WriterInfo); + + if ( ! writer_info->FromBroker(std::move(msg[idx])) ) + { + reporter->Warning("failed to unpack remote log writer info"); + return false; + } + + ++idx; + + // Get log fields. + + auto fields_data = broker::get(msg[idx]); + + if ( ! fields_data ) + { + reporter->Warning("failed to unpack remote log fields"); + return false; + } + + auto num_fields = fields_data->size(); + auto fields = new threading::Field* [num_fields]; + + for ( auto i = 0u; i < num_fields; ++i ) + { + if ( auto field = data_to_threading_field((*fields_data)[i]) ) + fields[i] = field; + else + { + reporter->Warning("failed to convert remote log field # %d", i); + return false; + } + } + + if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) ) + { + ODesc d; + stream_id->Describe(&d); + reporter->Warning("failed to create remote log stream for %s locally", d.Description()); + } + + writer_info.release(); // log_mgr took ownership. + return true; + } + +bool bro_broker::Manager::ProcessWriteLog(broker::message msg) + { + if ( msg.size() != 5 ) + { + reporter->Warning("got bad remote log size: %zd (expected 5)", + msg.size()); + return false; + } + + unsigned int idx = 1; // Skip type at index 0. + + // Get stream ID. + + if ( ! broker::get(msg[idx]) ) + { + reporter->Warning("got remote log w/o stream id: %d", + static_cast(broker::which(msg[idx]))); + return false; + } + + auto stream_id = data_to_val(move(msg[idx]), log_id_type); + + if ( ! stream_id ) + { + reporter->Warning("failed to unpack remote log stream id"); + return false; + } + + unref_guard stream_id_unreffer{stream_id}; + ++idx; + + // Get writer ID. + + if ( ! broker::get(msg[idx]) ) + { + reporter->Warning("got remote log w/o writer id: %d", + static_cast(broker::which(msg[idx]))); + return false; + } + + auto writer_id = data_to_val(move(msg[idx]), writer_id_type); + + if ( ! writer_id ) + { + reporter->Warning("failed to unpack remote log writer id"); + return false; + } + + unref_guard writer_id_unreffer{writer_id}; + ++idx; + + // Get path. + + auto path = broker::get(msg[idx]); + + if ( ! path ) + { + reporter->Warning("failed to unpack remote log path"); + return false; + } + + ++idx; + + // Get log values. + + auto vals_data = broker::get(msg[idx]); + + if ( ! vals_data ) + { + reporter->Warning("failed to unpack remote log values"); + return false; + } + + auto num_vals = vals_data->size(); + auto vals = new threading::Value* [num_vals]; + + for ( auto i = 0u; i < num_vals; ++i ) + { + if ( auto val = data_to_threading_val((*vals_data)[i]) ) + vals[i] = val; + else + { + reporter->Warning("failed to convert remote log arg # %d", i); + return false; + } + } + + log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), *path, num_vals, vals); + return true; + } + bool bro_broker::Manager::AddStore(StoreHandleVal* handle) { if ( ! Enabled() ) diff --git a/src/broker/Manager.h b/src/broker/Manager.h index 9fb7b9e328..10d5019b74 100644 --- a/src/broker/Manager.h +++ b/src/broker/Manager.h @@ -156,15 +156,34 @@ public: /** * Send a log entry to any interested peers. The topic name used is * implicitly "bro/log/". - * @param stream_id the stream to which the log entry belongs. - * @param columns the data which comprises the log entry. - * @param info the record type corresponding to the log's columns. + * @param stream the stream to which the log entry belongs. + * @param writer the writer to use for outputting this log entry. + * @param path the log path to output the log entry to. + * @param num_vals the number of fields to log. + * @param vals the log values to log, of size num_vals. * @param flags tune the behavior of how the message is send. * See the Broker::SendFlags record type. * @return true if the message is sent successfully. */ - bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info, - int flags); + bool Log(EnumVal* stream, EnumVal* writer, string path, int num_vals, + const threading::Value* const * vals, int flags); + + /** + * Send a message to create a log stream to any interested peers. + * The log stream may or may not already exist on the receiving side. + * The topic name used is implicitly "bro/log/". + * @param stream the stream to which the log entry belongs. + * @param writer the writer to use for outputting this log entry. + * @param info backend initialization information for the writer. + * @param num_fields the number of fields the log has. + * @param fields the log's fields of size num_fields. + * @param flags tune the behavior of how the message is send. + * See the Broker::SendFlags record type. + * @param peer If given, send the message only to this peer. + * @return true if the message is sent successfully. + */ + bool CreateLog(EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, + int num_fields, const threading::Field* const * fields, int flags, const string& peer = ""); /** * Automatically send an event to any interested peers whenever it is @@ -325,7 +344,6 @@ public: static int send_flags_to_int(Val* flags); private: - // IOSource interface overrides: void GetFds(iosource::FD_Set* read, iosource::FD_Set* write, iosource::FD_Set* except) override; @@ -340,6 +358,9 @@ private: broker::endpoint& Endpoint() { return *endpoint; } + bool ProcessCreateLog(broker::message msg); + bool ProcessWriteLog(broker::message msg); + struct QueueWithStats { broker::message_queue q; size_t received = 0; @@ -360,6 +381,7 @@ private: static VectorType* vector_of_data_type; static EnumType* log_id_type; + static EnumType* writer_id_type; static int send_flags_self_idx; static int send_flags_peers_idx; static int send_flags_unsolicited_idx; diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index e1a314d4d6..5bebdebdfb 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -919,12 +919,6 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) #endif } -#ifdef ENABLE_BROKER - if ( stream->enable_remote && - ! broker_mgr->Log(id, columns, stream->columns, stream->remote_flags) ) - stream->enable_remote = false; -#endif - Unref(columns); return true; @@ -1121,23 +1115,46 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter, return vals; } +bool Manager::CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info, + int num_fields, const threading::Field* const* fields) + { + return CreateWriter(id, writer, info, num_fields, fields, true, false, true); + } + +static void delete_info_and_fields(WriterBackend::WriterInfo* info, int num_fields, const threading::Field* const* fields) + { + for ( int i = 0; i < num_fields; i++ ) + delete fields[i]; + + delete [] fields; + delete info; + } + WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info, - int num_fields, const threading::Field* const* fields, bool local, bool remote, bool from_remote, + int num_fields, const threading::Field* const* fields, bool local, bool remote, bool from_remote, const string& instantiating_filter) { + WriterFrontend* result = 0; + Stream* stream = FindStream(id); if ( ! stream ) + { // Don't know this stream. + delete_info_and_fields(info, num_fields, fields); return 0; + } Stream::WriterMap::iterator w = stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), info->path)); if ( w != stream->writers.end() ) + { // If we already have a writer for this. That's fine, we just // return it. + delete_info_and_fields(info, num_fields, fields); return w->second->writer; + } WriterInfo* winfo = new WriterInfo; winfo->type = writer->Ref()->AsEnumVal(); @@ -1190,7 +1207,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken winfo->info->rotation_interval = winfo->interval; winfo->info->rotation_base = parse_rotate_base_time(base_time); - winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote); + winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, stream->remote_flags); winfo->writer->Init(num_fields, fields); InstallRotationTimer(winfo); @@ -1207,8 +1224,8 @@ void Manager::DeleteVals(int num_fields, threading::Value** vals) delete [] vals; } -bool Manager::Write(EnumVal* id, EnumVal* writer, string path, int num_fields, - threading::Value** vals) +bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, string path, int num_fields, + threading::Value** vals) { Stream* stream = FindStream(id); @@ -1280,6 +1297,34 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer) } } +void Manager::SendAllWritersTo(const string& peer) + { +#ifdef ENABLE_BROKER + for ( vector::iterator s = streams.begin(); s != streams.end(); ++s ) + { + Stream* stream = (*s); + + if ( ! stream ) + continue; + + for ( Stream::WriterMap::iterator i = stream->writers.begin(); + i != stream->writers.end(); i++ ) + { + WriterFrontend* writer = i->second->writer; + + EnumVal writer_val(i->first.first, internal_type("Log::Writer")->AsEnumType()); + broker_mgr->CreateLog((*s)->id, + &writer_val, + *i->second->info, + writer->NumFields(), + writer->Fields(), + stream->remote_flags, + peer); + } + } +#endif + } + bool Manager::SetBuf(EnumVal* id, bool enabled) { Stream* stream = FindStream(id); diff --git a/src/logging/Manager.h b/src/logging/Manager.h index 5d3372fb9b..6852160169 100644 --- a/src/logging/Manager.h +++ b/src/logging/Manager.h @@ -129,6 +129,52 @@ public: */ bool Write(EnumVal* id, RecordVal* columns); + /** + * Create a new log writer frontend. This is exposed so that the + * communication system can recreated remote log streams locally. + * + * @param stream The enum value corresponding the log stream. + * + * @param writer The enum value corresponding the desired log writer. + * + * @param info A fully initialized object defining the + * characteristics of the backend writer instance. The method takes + * ownership of this. + * + * @param num_fields The number of log fields to write. + * + * @param vals An arry of log fields to write, of size num_fields. + * The method takes ownership of the arry. + * + * @return Returns true if the writer was successfully created. + */ + bool CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info, + int num_fields, const threading::Field* const* fields); + + /** + * Writes out log entries that have already passed through all + * filters, and have raised any events. This is meant called for logs + * received alrready processed from remote. + * + * @param stream The enum value corresponding the log stream. + * + * @param writer The enum value corresponding the desired log writer. + * + * @param path The path of the target log stream to write to. + * + * @param num_fields The number of log values to write. + * + * @param vals An arry of log values to write, of size num_fields. + * The method takes ownership of the arry. + */ + bool WriteFromRemote(EnumVal* stream, EnumVal* writer, string path, + int num_fields, threading::Value** vals); + + /** + * Announces all instantiated writers to a given Broker peer. + */ + void SendAllWritersTo(const string& peer); + /** * Sets log streams buffering state. This adjusts all associated * writers to the new state. @@ -203,10 +249,6 @@ protected: int num_fields, const threading::Field* const* fields, bool local, bool remote, bool from_remote, const string& instantiating_filter=""); - // Takes ownership of values.. - bool Write(EnumVal* id, EnumVal* writer, string path, - int num_fields, threading::Value** vals); - // Announces all instantiated writers to peer. void SendAllWritersTo(RemoteSerializer::PeerID peer); diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc index 3e868f067a..624b66b8e8 100644 --- a/src/logging/WriterBackend.cc +++ b/src/logging/WriterBackend.cc @@ -119,6 +119,63 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const return true; } +broker::data WriterBackend::WriterInfo::ToBroker() const + { + auto bpath = broker::record::field(path); + auto brotation_base = broker::record::field(rotation_base); + auto brotation_interval = broker::record::field(rotation_interval); + auto bnetwork_time = broker::record::field(network_time); + + auto t = broker::table(); + + for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i ) + { + auto key = std::string(i->first); + auto value = std::string(i->second); + t.insert(std::make_pair(key, value)); + } + + auto bconfig = broker::record::field(move(t)); + + return move(broker::record({bpath, brotation_base, brotation_interval, bnetwork_time, bconfig})); + } + +bool WriterBackend::WriterInfo::FromBroker(broker::data d) + { + auto r = broker::get(d); + + if ( ! r ) + return false; + + auto bpath = broker::get(*r->get(0)); + auto brotation_base = broker::get(*r->get(1)); + auto brotation_interval = broker::get(*r->get(2)); + auto bnetwork_time = broker::get(*r->get(3)); + auto bconfig = broker::get(*r->get(4)); + + if ( ! (bpath && brotation_base && brotation_interval && bnetwork_time && bconfig) ) + return false; + + path = copy_string(bpath->c_str()); + rotation_base = *brotation_base; + rotation_interval = *brotation_interval; + network_time = *bnetwork_time; + + for ( auto i : *bconfig ) + { + auto k = broker::get(i.first); + auto v = broker::get(i.second); + + if ( ! (k && v) ) + return false; + + auto p = std::make_pair(copy_string(k->c_str()), copy_string(v->c_str())); + config.insert(p); + } + + return true; + } + WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread() { num_fields = 0; diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h index 2a93e8fefc..e17b7070c1 100644 --- a/src/logging/WriterBackend.h +++ b/src/logging/WriterBackend.h @@ -6,6 +6,7 @@ #define LOGGING_WRITERBACKEND_H #include "threading/MsgThread.h" +#include "broker/Data.h" #include "Component.h" @@ -110,15 +111,15 @@ public: } } - private: - const WriterInfo& operator=(const WriterInfo& other); // Disable. - - friend class ::RemoteSerializer; - // Note, these need to be adapted when changing the struct's // fields. They serialize/deserialize the struct. bool Read(SerializationFormat* fmt); bool Write(SerializationFormat* fmt) const; + broker::data ToBroker() const; + bool FromBroker(broker::data d); + + private: + const WriterInfo& operator=(const WriterInfo& other); // Disable. }; /** diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc index 14e131c755..05f4f6593a 100644 --- a/src/logging/WriterFrontend.cc +++ b/src/logging/WriterFrontend.cc @@ -2,6 +2,10 @@ #include "Net.h" #include "threading/SerialTypes.h" +#ifdef ENABLE_BROKER +#include "broker/Manager.h" +#endif + #include "Manager.h" #include "WriterFrontend.h" #include "WriterBackend.h" @@ -97,7 +101,7 @@ private: using namespace logging; -WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote) +WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote, int arg_remote_flags) { stream = arg_stream; writer = arg_writer; @@ -108,6 +112,7 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa buf = true; local = arg_local; remote = arg_remote; + remote_flags = arg_remote_flags; write_buffer = 0; write_buffer_pos = 0; info = new WriterBackend::WriterInfo(arg_info); @@ -167,12 +172,23 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const * arg_fields) backend->SendIn(new InitMessage(backend, arg_num_fields, arg_fields)); if ( remote ) + { remote_serializer->SendLogCreateWriter(stream, writer, *info, arg_num_fields, arg_fields); +#ifdef ENABLE_BROKER + broker_mgr->CreateLog(stream, + writer, + *info, + arg_num_fields, + arg_fields, + remote_flags); +#endif + } + } void WriterFrontend::Write(int arg_num_fields, Value** vals) @@ -191,12 +207,21 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals) } if ( remote ) + { remote_serializer->SendLogWrite(stream, writer, info->path, num_fields, vals); + broker_mgr->Log(stream, + writer, + info->path, + num_fields, + vals, + remote_flags); + } + if ( ! backend ) { DeleteVals(arg_num_fields, vals); diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h index e343f326bf..c39d2bdf3c 100644 --- a/src/logging/WriterFrontend.h +++ b/src/logging/WriterFrontend.h @@ -38,12 +38,15 @@ public: * * local: If true, the writer will instantiate a local backend. * - * remote: If true, the writer will forward all data to remote + * remote: If true, the writer will forward logs to remote * clients. * + * remote_flags: Broker flags controlling where remote logs are + * propagated to. + * * Frontends must only be instantiated by the main thread. */ - WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote); + WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int arg_remote_flags); /** * Destructor. @@ -214,6 +217,7 @@ protected: bool buf; // True if buffering is enabled (default). bool local; // True if logging locally. bool remote; // True if loggin remotely. + int remote_flags; // Broker propagation flags. const char* name; // Descriptive name of the WriterBackend::WriterInfo* info; // The writer information. diff --git a/testing/btest/Baseline/broker.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out index 2f4a31df51..e69de29bb2 100644 --- a/testing/btest/Baseline/broker.remote_log/recv.recv.out +++ b/testing/btest/Baseline/broker.remote_log/recv.recv.out @@ -1,6 +0,0 @@ -wrote log, [msg=ping, nolog=no, num=0] -wrote log, [msg=ping, nolog=no, num=1] -wrote log, [msg=ping, nolog=no, num=2] -wrote log, [msg=ping, nolog=no, num=3] -wrote log, [msg=ping, nolog=no, num=4] -wrote log, [msg=ping, nolog=no, num=5] diff --git a/testing/btest/Baseline/broker.remote_log_types/recv.recv.out b/testing/btest/Baseline/broker.remote_log_types/recv.recv.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/broker.remote_log_types/recv.test.log b/testing/btest/Baseline/broker.remote_log_types/recv.test.log new file mode 100644 index 0000000000..eb2b066cd4 --- /dev/null +++ b/testing/btest/Baseline/broker.remote_log_types/recv.test.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path test +#open 2017-02-11-02-17-35 +#fields b i e c p sn a d t iv s sc ss se vc ve f +#types bool int enum count port subnet addr double time interval string set[count] set[string] set[string] vector[count] vector[string] func +T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1486779455.703438 100.000000 hurz 1 AA (empty) 10,20,30 (empty) foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} +#close 2017-02-11-02-17-35 diff --git a/testing/btest/Baseline/broker.remote_log_types/send.send.out b/testing/btest/Baseline/broker.remote_log_types/send.send.out new file mode 100644 index 0000000000..632279e697 --- /dev/null +++ b/testing/btest/Baseline/broker.remote_log_types/send.send.out @@ -0,0 +1 @@ +Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp diff --git a/testing/btest/Baseline/broker.remote_log_types/send.test.log b/testing/btest/Baseline/broker.remote_log_types/send.test.log new file mode 100644 index 0000000000..59987c5998 --- /dev/null +++ b/testing/btest/Baseline/broker.remote_log_types/send.test.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path test +#open 2017-02-11-02-17-35 +#fields b i e c p sn a d t iv s sc ss se vc ve f +#types bool int enum count port subnet addr double time interval string set[count] set[string] set[string] vector[count] vector[string] func +T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1486779455.703438 100.000000 hurz 1 AA (empty) 10,20,30 (empty) foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} +#close 2017-02-11-02-17-36 diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test index 5881ad6d92..598f3f6e46 100644 --- a/testing/btest/broker/remote_log.test +++ b/testing/btest/broker/remote_log.test @@ -12,25 +12,28 @@ @TEST-START-FILE common.bro + +global quit_receiver: event(); +global quit_sender: event(); + + module Test; export { - redef enum Log::ID += { LOG }; + redef enum Log::ID += { LOG }; - type Info: record { - msg: string &log; - nolog: string &default="no"; - num: count &log; - }; - - global log_test: event(rec: Test::Info); + type Info: record { + msg: string &log; + nolog: string &default="no"; + num: count &log; + }; } event bro_init() &priority=5 - { - Broker::enable(); - Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]); - } + { + Broker::enable(); + Log::create_stream(Test::LOG, [$columns=Test::Info]); + } @TEST-END-FILE @@ -40,58 +43,66 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; event bro_init() - { - Broker::subscribe_to_logs("bro/log/"); - Broker::listen(broker_port, "127.0.0.1"); - } + { + Broker::subscribe_to_logs("bro/log/"); + Broker::subscribe_to_events("bro/event/"); + Broker::listen(broker_port, "127.0.0.1"); + } -event Test::log_test(rec: Test::Info) +event quit_receiver() { - print "wrote log", rec; - - if ( rec$num == 5 ) - terminate(); + terminate(); } @TEST-END-FILE + @TEST-START-FILE send.bro const broker_port: port &redef; redef exit_only_after_terminate = T; event bro_init() - { - Broker::enable_remote_logs(Test::LOG); - Broker::connect("127.0.0.1", broker_port, 1secs); - } + { + Broker::enable_remote_logs(Test::LOG); + Broker::connect("127.0.0.1", broker_port, 1secs); + } global n = 0; event do_write() - { - if ( n == 6 ) - return; - else + { + if ( n == 6 ) { - Log::write(Test::LOG, [$msg = "ping", $num = n]); - ++n; - event do_write(); + local args = Broker::event_args(quit_receiver); + Broker::send_event("bro/event/", args); + schedule 1sec { quit_sender() }; } + else + { + Log::write(Test::LOG, [$msg = "ping", $num = n]); + ++n; + event do_write(); + } + } + +event quit_sender() + { + terminate(); } event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) - { - print "Broker::outgoing_connection_established", peer_address, peer_port; - event do_write(); - } + { + print "Broker::outgoing_connection_established", peer_address, peer_port; + event do_write(); + } event Broker::outgoing_connection_broken(peer_address: string, peer_port: port) - { - terminate(); - } + { + terminate(); + } @TEST-END-FILE diff --git a/testing/btest/broker/remote_log_types.test b/testing/btest/broker/remote_log_types.test new file mode 100644 index 0000000000..9089e087cb --- /dev/null +++ b/testing/btest/broker/remote_log_types.test @@ -0,0 +1,133 @@ +# @TEST-SERIALIZE: brokercomm +# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt + +# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out" + +# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-diff recv/recv.out +# @TEST-EXEC: btest-diff recv/test.log +# @TEST-EXEC: btest-diff send/send.out +# @TEST-EXEC: btest-diff send/test.log + +@TEST-START-FILE common.bro + + +global quit_receiver: event(); +global quit_sender: event(); + + +module Test; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + b: bool; + i: int; + e: Log::ID; + c: count; + p: port; + sn: subnet; + a: addr; + d: double; + t: time; + iv: interval; + s: string; + sc: set[count]; + ss: set[string]; + se: set[string]; + vc: vector of count; + ve: vector of string; + f: function(i: count) : string; + } &log; + +} + +event bro_init() &priority=5 + { + Broker::enable(); + Log::create_stream(Test::LOG, [$columns=Test::Info]); + } + +@TEST-END-FILE + +@TEST-START-FILE recv.bro + +const broker_port: port &redef; +redef exit_only_after_terminate = T; + +event bro_init() + { + Broker::subscribe_to_logs("bro/log/"); + Broker::subscribe_to_events("bro/event/"); + Broker::listen(broker_port, "127.0.0.1"); + } + +event quit_receiver() + { + terminate(); + } + +@TEST-END-FILE + + +@TEST-START-FILE send.bro + +const broker_port: port &redef; +redef exit_only_after_terminate = T; + +event bro_init() + { + Broker::enable_remote_logs(Test::LOG); + Broker::connect("127.0.0.1", broker_port, 1secs); + } + +event quit_sender() + { + terminate(); + } + +function foo(i : count) : string + { + if ( i > 0 ) + return "Foo"; + else + return "Bar"; + } + +event Broker::outgoing_connection_established(peer_address: string, + peer_port: port, + peer_name: string) + { + print "Broker::outgoing_connection_established", peer_address, peer_port; + + local empty_set: set[string]; + local empty_vector: vector of string; + + Log::write(Test::LOG, [ + $b=T, + $i=-42, + $e=Test::LOG, + $c=21, + $p=123/tcp, + $sn=10.0.0.1/24, + $a=1.2.3.4, + $d=3.14, + $t=network_time(), + $iv=100secs, + $s="hurz", + $sc=set(1), # set(1,2,3,4), # Output not stable for multi-element sets. + $ss=set("AA"), # set("AA", "BB", "CC") # Output not stable for multi-element sets. + $se=empty_set, + $vc=vector(10, 20, 30), + $ve=empty_vector, + $f=foo + ]); + + local args = Broker::event_args(quit_receiver); + Broker::send_event("bro/event/", args); + schedule 1sec { quit_sender() }; + } + +@TEST-END-FILE From 2b694a1881f97b0042fd4e05f77bd88fff6389dd Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sat, 11 Feb 2017 08:36:47 -0800 Subject: [PATCH 162/288] Update failing intel framework test. --- .../output | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index 9cb4a7c9ff..69606c1407 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path reporter -#open 2016-09-20-22-35-58 +#open 2017-02-11-16-36-40 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 507-508 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/johanna/bro/master/scripts/base/frameworks/intel/./main.bro, lines 520-521 0.000000 Reporter::INFO received termination signal (empty) -#close 2016-09-20-22-35-59 +#close 2017-02-11-16-36-40 From 809660d48a171533eb51db30ad25bcef121d9c04 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 14 Feb 2017 07:21:00 -0800 Subject: [PATCH 163/288] Tiny mime-type fix from Dan Caselden. --- scripts/base/frameworks/files/magic/general.sig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index d3bed97efa..23b1c1d074 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -116,7 +116,7 @@ signature file-reg-utf16 { # Microsoft Registry format (typically DESKTOP.DAT) signature file-regf { - file-mime "application vnd.ms-regf", 49 + file-mime "application/vnd.ms-regf", 49 file-magic /^\x72\x65\x67\x66/ } From 976677dba259ca02268141766329bccc4f99a5db Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 14 Feb 2017 12:19:08 -0800 Subject: [PATCH 164/288] Add missing end of file call for stapled ocsp responses. --- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index d2ccd796cb..6882e48cbb 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -235,7 +235,7 @@ refine connection Handshake_Conn += { (const char*) response.data()), status_type); - + file_mgr->EndOfFile(file_id); } return true; %} From b3a18f3c80ced6168487c09fa950e0b9b2c9ea9a Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 15 Feb 2017 16:24:21 -0600 Subject: [PATCH 165/288] Kerberos ciphertext had some additional ASN.1 content being lumped in. --- src/analyzer/protocol/krb/krb-types.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index bb2bfba3e8..3b3b9d1f09 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -95,7 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket) rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content())); rv->Assign(2, GetStringFromPrincipalName(ticket->sname())); rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT)); - rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext())); + rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content())); return rv; } @@ -162,7 +162,7 @@ type KRB_Encrypted_Data = record { true -> next_meta: ASN1EncodingMeta; false -> none_meta: empty; }; - ciphertext : bytestring &length=have_kvno ? next_meta.length : kvno_meta.length; + ciphertext : ASN1OctetString &length=have_kvno ? next_meta.length : kvno_meta.length; } &let { have_kvno : bool = kvno_meta.index == 1; }; From 5604f46dd3c249af2a3d1e61cd8b3c29de606ad0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 15 Feb 2017 17:38:56 -0800 Subject: [PATCH 166/288] OCSP SCT: use correct oid for old openssls --- src/file_analysis/analyzer/x509/OCSP.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 1c27720e36..7a6a3c9a12 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -347,7 +347,7 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa #ifdef NID_ct_cert_scts if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else - if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) + if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 ) #endif ParseSignedCertificateTimestamps(ex); } From 511ca9e043c06729314db2f2c55cbb330b8d2d0f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 Feb 2017 16:28:20 -0800 Subject: [PATCH 167/288] Adding Broker ifdefs for new remote logging code. --- src/logging/Manager.cc | 4 ++++ src/logging/Manager.h | 4 ++-- src/logging/WriterBackend.cc | 2 ++ src/logging/WriterBackend.h | 6 ++++++ src/logging/WriterFrontend.cc | 2 ++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 5bebdebdfb..8c720137e8 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -1207,7 +1207,11 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken winfo->info->rotation_interval = winfo->interval; winfo->info->rotation_base = parse_rotate_base_time(base_time); +#ifdef ENABLE_BROKER winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, stream->remote_flags); +#else + winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, 0); +#endif winfo->writer->Init(num_fields, fields); InstallRotationTimer(winfo); diff --git a/src/logging/Manager.h b/src/logging/Manager.h index 6852160169..3334942a3a 100644 --- a/src/logging/Manager.h +++ b/src/logging/Manager.h @@ -131,7 +131,7 @@ public: /** * Create a new log writer frontend. This is exposed so that the - * communication system can recreated remote log streams locally. + * communication system can recreate remote log streams locally. * * @param stream The enum value corresponding the log stream. * @@ -153,7 +153,7 @@ public: /** * Writes out log entries that have already passed through all - * filters, and have raised any events. This is meant called for logs + * filters (and have raised any events). This is meant called for logs * received alrready processed from remote. * * @param stream The enum value corresponding the log stream. diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc index 624b66b8e8..e2afd360e7 100644 --- a/src/logging/WriterBackend.cc +++ b/src/logging/WriterBackend.cc @@ -119,6 +119,7 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const return true; } +#ifdef ENABLE_BROKER broker::data WriterBackend::WriterInfo::ToBroker() const { auto bpath = broker::record::field(path); @@ -175,6 +176,7 @@ bool WriterBackend::WriterInfo::FromBroker(broker::data d) return true; } +#endif WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread() { diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h index e17b7070c1..f6602cc8ca 100644 --- a/src/logging/WriterBackend.h +++ b/src/logging/WriterBackend.h @@ -6,7 +6,10 @@ #define LOGGING_WRITERBACKEND_H #include "threading/MsgThread.h" + +#ifdef ENABLE_BROKER #include "broker/Data.h" +#endif #include "Component.h" @@ -115,8 +118,11 @@ public: // fields. They serialize/deserialize the struct. bool Read(SerializationFormat* fmt); bool Write(SerializationFormat* fmt) const; + +#ifdef ENABLE_BROKER broker::data ToBroker() const; bool FromBroker(broker::data d); +#endif private: const WriterInfo& operator=(const WriterInfo& other); // Disable. diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc index 05f4f6593a..0c2378890f 100644 --- a/src/logging/WriterFrontend.cc +++ b/src/logging/WriterFrontend.cc @@ -214,12 +214,14 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals) num_fields, vals); +#ifdef ENABLE_BROKER broker_mgr->Log(stream, writer, info->path, num_fields, vals, remote_flags); +#endif } if ( ! backend ) From 0b8b76cfabb5dd15547c437e1a1c12f81a10d591 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 18 Feb 2017 13:55:39 -0500 Subject: [PATCH 168/288] Refactor base krb scripts and update tests. --- scripts/base/protocols/krb/files.bro | 23 +- scripts/base/protocols/krb/main.bro | 227 ++++++++---------- .../policy/protocols/krb/ticket-logging.bro | 26 +- scripts/test-all-policy.bro | 1 + testing/btest/Baseline/plugins.hooks/output | 15 +- .../scripts.base.protocols.krb.kinit/output | 2 +- .../kerberos.log | 10 + .../policy/protocols/krb/ticket-logging.bro | 6 + 8 files changed, 135 insertions(+), 175 deletions(-) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log create mode 100644 testing/btest/scripts/policy/protocols/krb/ticket-logging.bro diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index cd2127c605..a486a56290 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -78,30 +78,19 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( f$source != "KRB_TCP" && f$source != "KRB" ) return; - local info: Info; - - if ( ! c?$krb ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - else - info = c$krb; + set_session(c); if ( is_orig ) { - info$client_cert = f$info; - info$client_cert_fuid = f$id; + c$krb$client_cert = f$info; + c$krb$client_cert_fuid = f$id; } else { - info$server_cert = f$info; - info$server_cert_fuid = f$id; + c$krb$server_cert = f$info; + c$krb$server_cert_fuid = f$id; } - c$krb = info; - Files::add_analyzer(f, Files::ANALYZER_X509); # Always calculate hashes. They are not necessary for base scripts # but very useful for identification, and required for policy scripts @@ -111,7 +100,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori function fill_in_subjects(c: connection) { - if ( !c?$krb ) + if ( ! c?$krb ) return; if ( c$krb?$client_cert && c$krb$client_cert?$x509 && c$krb$client_cert$x509?$certificate ) diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index fc6abc5bff..02abced683 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -10,41 +10,41 @@ export { type Info: record { ## Timestamp for when the event happened. - ts: time &log; + ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; + id: conn_id &log; ## Request type - Authentication Service ("AS") or ## Ticket Granting Service ("TGS") - request_type: string &log &optional; + request_type: string &log &optional; ## Client - client: string &log &optional; + client: string &log &optional; ## Service - service: string &log; + service: string &log &optional; ## Request result - success: bool &log &optional; + success: bool &log &optional; ## Error code - error_code: count &optional; + error_code: count &optional; ## Error message - error_msg: string &log &optional; + error_msg: string &log &optional; ## Ticket valid from - from: time &log &optional; + from: time &log &optional; ## Ticket valid till - till: time &log &optional; + till: time &log &optional; ## Ticket encryption type - cipher: string &log &optional; + cipher: string &log &optional; ## Forwardable ticket requested - forwardable: bool &log &optional; + forwardable: bool &log &optional; ## Renewable ticket requested - renewable: bool &log &optional; + renewable: bool &log &optional; ## We've already logged this - logged: bool &default=F; + logged: bool &default=F; }; ## The server response error texts which are *not* logged. @@ -80,179 +80,140 @@ event bro_init() &priority=5 Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos"]); } -event krb_error(c: connection, msg: Error_Msg) &priority=5 +function set_session(c: connection): bool { - local info: Info; - - if ( msg?$error_text && msg$error_text in ignored_errors ) + if ( ! c?$krb ) { - if ( c?$krb ) delete c$krb; - return; + c$krb = Info($ts = network_time(), + $uid = c$uid, + $id = c$id); } - - if ( c?$krb && c$krb$logged ) - return; - - if ( c?$krb ) - info = c$krb; - - if ( ! info?$ts ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - - if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) - info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", - msg?$client_realm ? msg$client_realm : ""); - - info$service = msg$service_name; - info$success = F; - - info$error_code = msg$error_code; - - if ( msg?$error_text ) info$error_msg = msg$error_text; - else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code]; - - c$krb = info; + + return c$krb$logged; } -event krb_error(c: connection, msg: Error_Msg) &priority=-5 +function do_log(c: connection) { - if ( c?$krb ) + if ( c?$krb && ! c$krb$logged ) { Log::write(KRB::LOG, c$krb); c$krb$logged = T; } } -event krb_as_request(c: connection, msg: KDC_Request) &priority=5 +event krb_error(c: connection, msg: Error_Msg) &priority=5 { - if ( c?$krb && c$krb$logged ) + if ( set_session(c) ) return; - local info: Info; - - if ( !c?$krb ) + if ( msg?$error_text && msg$error_text in ignored_errors ) { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + if ( c?$krb ) + delete c$krb; + + return; } - else - info = c$krb; - info$request_type = "AS"; - info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm); - info$service = msg$service_name; + if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) ) + c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", + msg?$client_realm ? msg$client_realm : ""); - if ( msg?$from ) - info$from = msg$from; + c$krb$service = msg$service_name; + c$krb$success = F; + c$krb$error_code = msg$error_code; - info$till = msg$till; - - info$forwardable = msg$kdc_options$forwardable; - info$renewable = msg$kdc_options$renewable; - - c$krb = info; + if ( msg?$error_text ) + c$krb$error_msg = msg$error_text; + else if ( msg$error_code in error_msg ) + c$krb$error_msg = error_msg[msg$error_code]; } -event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 +event krb_error(c: connection, msg: Error_Msg) &priority=-5 { - if ( c?$krb && c$krb$logged ) + do_log(c); + } + +event krb_as_request(c: connection, msg: KDC_Request) &priority=5 + { + if ( set_session(c) ) return; - local info: Info; + c$krb$request_type = "AS"; + c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm); + c$krb$service = msg$service_name; - if ( !c?$krb ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - else - info = c$krb; + if ( msg?$from ) + c$krb$from = msg$from; + c$krb$till = msg$till; - info$request_type = "TGS"; - info$service = msg$service_name; - if ( msg?$from ) info$from = msg$from; - info$till = msg$till; - - info$forwardable = msg$kdc_options$forwardable; - info$renewable = msg$kdc_options$renewable; - - c$krb = info; + c$krb$forwardable = msg$kdc_options$forwardable; + c$krb$renewable = msg$kdc_options$renewable; } event krb_as_response(c: connection, msg: KDC_Response) &priority=5 { - local info: Info; - - if ( c?$krb && c$krb$logged ) + if ( set_session(c) ) return; - if ( c?$krb ) - info = c$krb; - - if ( ! info?$ts ) + if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) ) { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", + msg?$client_realm ? msg$client_realm : ""); } - if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) - info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : ""); - - info$service = msg$ticket$service_name; - info$cipher = cipher_name[msg$ticket$cipher]; - info$success = T; - - c$krb = info; + c$krb$service = msg$ticket$service_name; + c$krb$cipher = cipher_name[msg$ticket$cipher]; + c$krb$success = T; } event krb_as_response(c: connection, msg: KDC_Response) &priority=-5 { - Log::write(KRB::LOG, c$krb); - c$krb$logged = T; + do_log(c); + } + +event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) &priority=5 + { + if ( set_session(c) ) + return; + } + +event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 + { + if ( set_session(c) ) + return; + + c$krb$request_type = "TGS"; + c$krb$service = msg$service_name; + if ( msg?$from ) + c$krb$from = msg$from; + c$krb$till = msg$till; + + c$krb$forwardable = msg$kdc_options$forwardable; + c$krb$renewable = msg$kdc_options$renewable; } event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5 { - local info: Info; - - if ( c?$krb && c$krb$logged ) + if ( set_session(c) ) return; - if ( c?$krb ) - info = c$krb; - - if ( ! info?$ts ) + if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) ) { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", + msg?$client_realm ? msg$client_realm : ""); } - if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) - info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : ""); - - info$service = msg$ticket$service_name; - info$cipher = cipher_name[msg$ticket$cipher]; - info$success = T; - - c$krb = info; + c$krb$service = msg$ticket$service_name; + c$krb$cipher = cipher_name[msg$ticket$cipher]; + c$krb$success = T; } event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5 { - Log::write(KRB::LOG, c$krb); - c$krb$logged = T; + do_log(c); } event connection_state_remove(c: connection) &priority=-5 { - if ( c?$krb && ! c$krb$logged ) - Log::write(KRB::LOG, c$krb); + do_log(c); } diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro index e254b6dc26..22fd3c810b 100644 --- a/scripts/policy/protocols/krb/ticket-logging.bro +++ b/scripts/policy/protocols/krb/ticket-logging.bro @@ -1,3 +1,7 @@ +##! Add Kerberos ticket hashes to the krb.log + +@load base/protocols/krb + module KRB; redef record Info += { @@ -9,25 +13,11 @@ redef record Info += { event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) { - if ( c?$krb && c$krb$logged ) - return; - - local info: Info; + # Will be overwritten when request is a TGS + c$krb$request_type = "AP"; - if ( !c?$krb ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - else - info = c$krb; - - info$request_type = "AP"; # Will be overwritten when request is a TGS if ( ticket?$ciphertext ) - info$auth_ticket = md5_hash(ticket$ciphertext); - - c$krb = info; + c$krb$auth_ticket = md5_hash(ticket$ciphertext); } event krb_as_response(c: connection, msg: KDC_Response) @@ -40,4 +30,4 @@ event krb_tgs_response(c: connection, msg: KDC_Response) { if ( msg$ticket?$ciphertext ) c$krb$new_ticket = md5_hash(msg$ticket$ciphertext); - } \ No newline at end of file + } diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 8d1a9ff054..a022060cd4 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -72,6 +72,7 @@ @load protocols/http/software.bro @load protocols/http/var-extraction-cookies.bro @load protocols/http/var-extraction-uri.bro +@load protocols/krb/ticket-logging.bro @load protocols/modbus/known-masters-slaves.bro @load protocols/modbus/track-memmap.bro @load protocols/mysql/software.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9b22c34b71..c291302748 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -968,7 +968,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1098,7 +1098,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1688,7 +1688,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1818,7 +1818,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2297,6 +2297,7 @@ 1362692527.080972 MetaHookPost CallFunction(Conn::determine_service, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(Conn::set_conn, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692527.080972 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692527.080972 MetaHookPost CallFunction(KRB::do_log, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> 1362692527.080972 MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> @@ -2327,6 +2328,7 @@ 1362692527.080972 MetaHookPre CallFunction(Conn::determine_service, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(Conn::set_conn, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692527.080972 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692527.080972 MetaHookPre CallFunction(KRB::do_log, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) 1362692527.080972 MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) @@ -2358,6 +2360,7 @@ 1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output index 0bec7ee13c..cf6a7a0616 100644 --- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output +++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output @@ -1,3 +1,3 @@ KRB_AP_REQUEST -[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18] +[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext=\x04\x81\xfa{\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^: Date: Mon, 20 Feb 2017 00:07:14 -0500 Subject: [PATCH 169/288] Rework the RADIUS base script. - This fixes BIT-1769 by logging all requests even in the absence of a reply. The way that request and replying matching were being handled was restructured to mostly ignore the transaction ids because they aren't that helpful for network monitoring and it makes the script structure more complicated. - Add `framed_addr` field to the radius log to indicate if the radius server is hinting at an address for the client. - Add `ttl` field to indicate how quickly the radius server is replying to the network access server. - Fix a bunch of indentation inconsistencies. --- scripts/base/protocols/radius/main.bro | 151 ++++++++++-------- .../radius.log | 10 +- .../radius.log | 16 ++ .../Traces/radius/radius_localhost.pcapng | Bin 0 -> 2952 bytes .../radius/radius-multiple-attempts.test | 6 + 5 files changed, 113 insertions(+), 70 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log create mode 100644 testing/btest/Traces/radius/radius_localhost.pcapng create mode 100644 testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro index d9c2d08ca8..ea30b27911 100644 --- a/scripts/base/protocols/radius/main.bro +++ b/scripts/base/protocols/radius/main.bro @@ -10,52 +10,51 @@ export { type Info: record { ## Timestamp for when the event happened. - ts : time &log; + ts : time &log; ## Unique ID for the connection. - uid : string &log; + uid : string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id : conn_id &log; + id : conn_id &log; ## The username, if present. - username : string &log &optional; + username : string &log &optional; ## MAC address, if present. - mac : string &log &optional; - ## Remote IP address, if present. - remote_ip : addr &log &optional; + mac : string &log &optional; + ## The address given to the network access server, if + ## present. This is only a hint from the RADIUS server + ## and the network access server is not required to honor + ## the address. + framed_addr : addr &log &optional; + ## Remote IP address, if present. This is collected + ## from the Tunnel-Client-Endpoint attribute. + remote_ip : addr &log &optional; ## Connect info, if present. - connect_info : string &log &optional; + connect_info : string &log &optional; + ## Reply message from the server challenge. This is + ## frequently shown to the user authenticating. + reply_msg : string &log &optional; ## Successful or failed authentication. - result : string &log &optional; - ## Whether this has already been logged and can be ignored. - logged : bool &optional; + result : string &log &optional; + ## The duration between the first request and + ## either the "Access-Accept" message or an error. + ## If the field is empty, it means that either + ## the request or response was not seen. + ttl : interval &log &optional; + ## Whether this has already been logged and can be ignored. + logged : bool &default=F; }; - ## The amount of time we wait for an authentication response before - ## expiring it. - const expiration_interval = 10secs &redef; - - ## Logs an authentication attempt if we didn't see a response in time. - ## - ## t: A table of Info records. - ## - ## idx: The index of the connection$radius table corresponding to the - ## radius authentication about to expire. - ## - ## Returns: 0secs, which when this function is used as an - ## :bro:attr:`&expire_func`, indicates to remove the element at - ## *idx* immediately. - global expire: function(t: table[count] of Info, idx: count): interval; - ## Event that can be handled to access the RADIUS record as it is sent on - ## to the loggin framework. + ## to the logging framework. global log_radius: event(rec: Info); } redef record connection += { - radius: table[count] of Info &optional &write_expire=expiration_interval &expire_func=expire; + radius: Info &optional; }; const ports = { 1812/udp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { @@ -63,64 +62,86 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports); } -event radius_message(c: connection, result: RADIUS::Message) +event radius_message(c: connection, result: RADIUS::Message) &priority=5 { - local info: Info; - - if ( c?$radius && result$trans_id in c$radius ) - info = c$radius[result$trans_id]; - else + if ( ! c?$radius ) { - c$radius = table(); - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + c$radius = Info($ts = network_time(), + $uid = c$uid, + $id = c$id); } - switch ( RADIUS::msg_types[result$code] ) { + switch ( RADIUS::msg_types[result$code] ) + { case "Access-Request": - if ( result?$attributes ) { + if ( result?$attributes ) + { # User-Name - if ( ! info?$username && 1 in result$attributes ) - info$username = result$attributes[1][0]; + if ( ! c$radius?$username && 1 in result$attributes ) + c$radius$username = result$attributes[1][0]; # Calling-Station-Id (we expect this to be a MAC) - if ( ! info?$mac && 31 in result$attributes ) - info$mac = normalize_mac(result$attributes[31][0]); + if ( ! c$radius?$mac && 31 in result$attributes ) + c$radius$mac = normalize_mac(result$attributes[31][0]); # Tunnel-Client-EndPoint (useful for VPNs) - if ( ! info?$remote_ip && 66 in result$attributes ) - info$remote_ip = to_addr(result$attributes[66][0]); + if ( ! c$radius?$remote_ip && 66 in result$attributes ) + c$radius$remote_ip = to_addr(result$attributes[66][0]); # Connect-Info - if ( ! info?$connect_info && 77 in result$attributes ) - info$connect_info = result$attributes[77][0]; - } + if ( ! c$radius?$connect_info && 77 in result$attributes ) + c$radius$connect_info = result$attributes[77][0]; + } + break; + case "Access-Challenge": + if ( result?$attributes ) + { + # Framed-IP-Address + if ( ! c$radius?$framed_addr && 8 in result$attributes ) + c$radius$framed_addr = raw_bytes_to_v4_addr(result$attributes[8][0]); + + if ( ! c$radius?$reply_msg && 18 in result$attributes ) + c$radius$reply_msg = result$attributes[18][0]; + } break; case "Access-Accept": - info$result = "success"; + c$radius$result = "success"; break; case "Access-Reject": - info$result = "failed"; + c$radius$result = "failed"; break; - } - if ( info?$result && ! info?$logged ) - { - info$logged = T; - Log::write(RADIUS::LOG, info); + # TODO: Support RADIUS accounting. (add port 1813/udp above too) + #case "Accounting-Request": + # break; + # + #case "Accounting-Response": + # break; } - - c$radius[result$trans_id] = info; } +event radius_message(c: connection, result: RADIUS::Message) &priority=-5 + { + if ( c$radius?$result ) + { + local ttl = network_time() - c$radius$ts; + if ( ttl != 0secs ) + c$radius$ttl = ttl; -function expire(t: table[count] of Info, idx: count): interval - { - t[idx]$result = "unknown"; - Log::write(RADIUS::LOG, t[idx]); - return 0secs; - } + Log::write(RADIUS::LOG, c$radius); + + delete c$radius; + } + } + +event connection_state_remove(c: connection) &priority=-5 + { + if ( c?$radius && ! c$radius$logged ) + { + c$radius$result = "unknown"; + Log::write(RADIUS::LOG, c$radius); + } + } diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log index 944b5a3ad3..bd536ecca2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log +++ b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path radius -#open 2016-07-13-16-16-47 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username mac remote_ip connect_info result -#types time string addr port addr port string string addr string string -1217631137.916736 CHhAvVGS1DHFjwGM9 10.0.0.1 1645 10.0.0.100 1812 John.McGuirk 00:14:22:e9:54:5e - - success -#close 2016-07-13-16-16-47 +#open 2017-02-20-04-53-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username mac framed_addr remote_ip connect_info reply_msg result ttl +#types time string addr port addr port string string addr addr string string string interval +1217631137.872968 CHhAvVGS1DHFjwGM9 10.0.0.1 1645 10.0.0.100 1812 John.McGuirk 00:14:22:e9:54:5e 255.255.255.254 - - Hello, %u success 0.043882 +#close 2017-02-20-04-53-55 diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log new file mode 100644 index 0000000000..8dac83de65 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log @@ -0,0 +1,16 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path radius +#open 2017-02-20-04-56-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username mac framed_addr remote_ip connect_info reply_msg result ttl +#types time string addr port addr port string string addr addr string string string interval +1440447766.440305 CHhAvVGS1DHFjwGM9 127.0.0.1 53031 127.0.0.1 1812 steve - 172.16.3.33 - - - failed 1.005906 +1440447839.947454 ClEkJM2Vm5giqnMf4h 127.0.0.1 65443 127.0.0.1 1812 steve - 172.16.3.33 - - - success 0.000779 +1440447848.196115 C4J4Th3PJpwUYZZ6gc 127.0.0.1 57717 127.0.0.1 1812 steve - - - - - success 0.000275 +1440447860.613743 CtPZjS20MLrsMUOJi2 127.0.0.1 64691 127.0.0.1 1812 steve - - - - - success 0.000273 +1440447880.931272 CUM0KZ3MLUfNB0cl11 127.0.0.1 52178 127.0.0.1 1812 steve - - - - - failed 1.001459 +1440447904.122012 CmES5u32sYpV7JYN 127.0.0.1 62956 127.0.0.1 1812 steve - - - - - unknown - +1440448190.335333 CP5puj4I8PtEU4qzYg 127.0.0.1 53127 127.0.0.1 1812 steve - - - - - success 0.000517 +#close 2017-02-20-04-56-31 diff --git a/testing/btest/Traces/radius/radius_localhost.pcapng b/testing/btest/Traces/radius/radius_localhost.pcapng new file mode 100644 index 0000000000000000000000000000000000000000..0de5c46dcd1d31202b4190668fa90d613ae14108 GIT binary patch literal 2952 zcmc(hdo+}39LJxTVMd11Gzm%5ML6UZQf<3ZF1a*rDVNf?&CoCxrcNd0-li6z>sA(< zky}MJIjlBYO2tUZs!gG*Hm#IB?94vT?7MTk)1Ljq*>n0GU!Lck@jRd3_xV1Ix~8VO zJ^;Y;3sXG;{3*iOb$dagD9u(6Roq*|SkaLS^Vph9jE1ASGr-!3m&$h35q7cD0qB-uG~#@n5& znHt1MpiYqguAB$GuNevz;wmoVv5Mdr3FA7QcO1_}p|=@FNRKBp88&#n!s z7@L2_VL>+;El8xG?*uh+xfW^O6f(3OsG}z&>Xf+naC1JNuK}m34>jd)W9q;LwN?+_|lBhBQ>4_DYtbS3v=h8JejTGtPLs=@0Ojv8^?k|nS#be3 zzc)`juX&Q{MGN@zcN;%<*ZViDpEn5g#GN{{p5FJTdvb=_7YMSR@fP<|{xyF!9+C*< z{4q)R9^~Gl{0V_*|GD%o^?`%}XP+|}TF)$hRe0O9;9yl^@v+X#K0{hTWzcoJw?9*7 z-E+SEv8mukS;O5x;oeW_VE*Kt*>$hTd*>)vmrvH75kB>949vnm`4hu2DwMw)o|1@k zI7Y(qmptZ;=azdPD@`H_LFBXMfDe=~dPan;cX)X~9(^+2lSu*;*(jNMnNXW^+t@H> zKonQkfLQTXRzvs>9vl!FR=??ttI+Gz1-rvp3AD$YwUC4NGGtKOA2l0`d0kQ0ZLWNis znJ^>SaEyepgk=QcSt#@;BEXb}5?R0{%fhd%-gL8lY>c5%mU|)wF5B);JAB7s zv(v5~HP)>quWtQcp0t!Wa+Grt3oqux|FNwdSWZlVJ5Tg@U+BK9?9LA|-AbnYm?9^7 zT&LMr#ZHNCUd#HpuB&VDmYm&mE3h_yY-^SNVA|X*2J;m;@q^x=LOH2_>&>x&VEJW7{i{?ffy{*ZBTg-oG4JYdltYwLa%# z^lFZWqQ8lE(xZ3i6BesCpNFMr<;rMfUvkqv4@<<2>Yd6gyGHRWZ5h}Zpg=>z48GXjf^m-@zNo6LEtQ^PH2ID|i=U(9_ Date: Tue, 21 Feb 2017 15:06:39 -0500 Subject: [PATCH 170/288] Updated Windows version detection to include Windows 10 Thanks to Fatema Bannatwala for finding it and Keith Lehigh and Mike Patterson for verifying. --- scripts/policy/frameworks/software/windows-version-detection.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/policy/frameworks/software/windows-version-detection.bro b/scripts/policy/frameworks/software/windows-version-detection.bro index 7ed1ab359e..50177b2e9b 100644 --- a/scripts/policy/frameworks/software/windows-version-detection.bro +++ b/scripts/policy/frameworks/software/windows-version-detection.bro @@ -48,6 +48,7 @@ export { ["Microsoft-CryptoAPI/6.2"] = [$name="Windows", $version=[$major=6, $minor=2, $addl="8 or Server 2012"]], ["Microsoft-CryptoAPI/6.3"] = [$name="Windows", $version=[$major=6, $minor=3, $addl="8.1 or Server 2012 R2"]], ["Microsoft-CryptoAPI/6.4"] = [$name="Windows", $version=[$major=6, $minor=4, $addl="10 Technical Preview"]], + ["Microsoft-CryptoAPI/10.0"] = [$name="Windows", $version=[$major=10, $minor=0]], } &redef; } From b0d812812f7b8539bf2066683f8c4b6d4d827e6e Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 21 Feb 2017 15:45:26 -0500 Subject: [PATCH 171/288] In progress on ascii writer behavior change. --- src/input/readers/ascii/Ascii.cc | 83 ++++++++++++++++++++++++-------- src/input/readers/ascii/Ascii.h | 5 ++ 2 files changed, 69 insertions(+), 19 deletions(-) diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 8b609bda04..3d7d6415a5 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -61,6 +61,11 @@ void Ascii::DoClose() bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { + continue_on_failure = true; + is_failed = false; + + filename = info.source; + separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(), BifConst::InputAscii::separator->Len()); @@ -98,18 +103,10 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); formatter = unique_ptr(new formatter::Ascii(this, sep_info)); - file.open(info.source); - if ( ! file.is_open() ) + if ( ! OpenFile() ) { - Error(Fmt("Init: cannot open %s", info.source)); - return false; - } - - if ( ReadHeader(false) == false ) - { - Error(Fmt("Init: cannot open %s; headers are incorrect", info.source)); - file.close(); - return false; + is_failed = true; + return continue_on_failure; } DoUpdate(); @@ -117,6 +114,26 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f return true; } +bool Ascii::OpenFile() + { + file.open(filename); + if ( ! file.is_open() ) + { + Error(Fmt("Init: cannot open %s", filename.c_str())); + is_failed = true; + return continue_on_failure; + } + + if ( ReadHeader(false) == false ) + { + Error(Fmt("Init: cannot open %s; headers are incorrect", filename.c_str())); + file.close(); + is_failed = true; + return continue_on_failure; + } + + return true; + } bool Ascii::ReadHeader(bool useCached) { @@ -129,7 +146,8 @@ bool Ascii::ReadHeader(bool useCached) if ( ! GetLine(line) ) { Error("could not read first line"); - return false; + is_failed = true; + return continue_on_failure; } headerline = line; @@ -172,7 +190,9 @@ bool Ascii::ReadHeader(bool useCached) Error(Fmt("Did not find requested field %s in input data file %s.", field->name, Info().source)); - return false; + + is_failed = true; + return continue_on_failure; } FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]); @@ -184,7 +204,9 @@ bool Ascii::ReadHeader(bool useCached) { Error(Fmt("Could not find requested port type field %s in input data file.", field->secondary_name)); - return false; + + is_failed = true; + return continue_on_failure; } f.secondary_position = ifields[field->secondary_name]; @@ -224,6 +246,12 @@ bool Ascii::GetLine(string& str) // read the entire file and send appropriate thingies back to InputMgr bool Ascii::DoUpdate() { + if ( is_failed ) + if ( ! OpenFile() ) + { + printf("do updates after failure?!\n"); + } + switch ( Info().mode ) { case MODE_REREAD: { @@ -232,7 +260,8 @@ bool Ascii::DoUpdate() if ( stat(Info().source, &sb) == -1 ) { Error(Fmt("Could not get stat for %s", Info().source)); - return false; + is_failed = true; + return continue_on_failure; } if ( sb.st_mtime <= mtime ) // no change @@ -255,7 +284,10 @@ bool Ascii::DoUpdate() { file.clear(); // remove end of file evil bits if ( !ReadHeader(true) ) - return false; // header reading failed + { + is_failed = true; + return continue_on_failure; // header reading failed + } break; } @@ -267,12 +299,14 @@ bool Ascii::DoUpdate() if ( ! file.is_open() ) { Error(Fmt("cannot open %s", Info().source)); - return false; + is_failed = true; + return continue_on_failure; } if ( ReadHeader(false) == false ) { - return false; + is_failed = true; + return continue_on_failure; } break; @@ -334,7 +368,9 @@ bool Ascii::DoUpdate() delete fields[i]; delete [] fields; - return false; + + is_failed = true; + return continue_on_failure; } Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype); @@ -390,6 +426,15 @@ bool Ascii::DoUpdate() bool Ascii::DoHeartbeat(double network_time, double current_time) { + printf("heartbeat\n"); + is_failed = false; + + if ( ! file.is_open() ) + OpenFile(); + + //if ( is_failed ) + // return continue_on_failure; + switch ( Info().mode ) { case MODE_MANUAL: diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index 20a459968d..102736d24e 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -55,7 +55,9 @@ protected: private: bool ReadHeader(bool useCached); bool GetLine(string& str); + bool OpenFile(); + string filename; ifstream file; time_t mtime; @@ -71,6 +73,9 @@ private: string empty_field; string unset_field; + bool continue_on_failure; + bool is_failed; + std::unique_ptr formatter; }; From 2b15ec1069bf150ea29c2ff3b46edfba4acbb109 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 21 Feb 2017 23:35:29 -0500 Subject: [PATCH 172/288] Another resilient Ascii reader checkpoint. This works correctly now (as a prototype at least). If a file disappears, the thread complains once and once the file reappears the thread will once again begin watching it. --- src/input/readers/ascii/Ascii.cc | 63 ++++++++++---------------------- src/input/readers/ascii/Ascii.h | 1 - 2 files changed, 19 insertions(+), 45 deletions(-) diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 3d7d6415a5..2f91ebe27a 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -64,8 +64,6 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f continue_on_failure = true; is_failed = false; - filename = info.source; - separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(), BifConst::InputAscii::separator->Len()); @@ -103,11 +101,10 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); formatter = unique_ptr(new formatter::Ascii(this, sep_info)); - if ( ! OpenFile() ) - { - is_failed = true; + OpenFile(); + + if ( is_failed ) return continue_on_failure; - } DoUpdate(); @@ -116,22 +113,25 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f bool Ascii::OpenFile() { - file.open(filename); + file.open(Info().source); if ( ! file.is_open() ) { - Error(Fmt("Init: cannot open %s", filename.c_str())); + if ( ! is_failed ) + Warning(Fmt("Init: cannot open %s", Info().source)); is_failed = true; return continue_on_failure; } if ( ReadHeader(false) == false ) { - Error(Fmt("Init: cannot open %s; headers are incorrect", filename.c_str())); + if ( ! is_failed ) + Warning(Fmt("Init: cannot open %s; headers are incorrect", Info().source)); file.close(); is_failed = true; return continue_on_failure; } + is_failed = false; return true; } @@ -141,14 +141,10 @@ bool Ascii::ReadHeader(bool useCached) string line; map ifields; - if ( ! useCached ) + if ( headerline == "" ) { if ( ! GetLine(line) ) - { - Error("could not read first line"); - is_failed = true; - return continue_on_failure; - } + return false; headerline = line; } @@ -188,7 +184,7 @@ bool Ascii::ReadHeader(bool useCached) continue; } - Error(Fmt("Did not find requested field %s in input data file %s.", + Warning(Fmt("Did not find requested field %s in input data file %s.", field->name, Info().source)); is_failed = true; @@ -202,7 +198,7 @@ bool Ascii::ReadHeader(bool useCached) map::iterator fit2 = ifields.find(field->secondary_name); if ( fit2 == ifields.end() ) { - Error(Fmt("Could not find requested port type field %s in input data file.", + Warning(Fmt("Could not find requested port type field %s in input data file.", field->secondary_name)); is_failed = true; @@ -215,7 +211,6 @@ bool Ascii::ReadHeader(bool useCached) columnMap.push_back(f); } - // well, that seems to have worked... return true; } @@ -246,12 +241,6 @@ bool Ascii::GetLine(string& str) // read the entire file and send appropriate thingies back to InputMgr bool Ascii::DoUpdate() { - if ( is_failed ) - if ( ! OpenFile() ) - { - printf("do updates after failure?!\n"); - } - switch ( Info().mode ) { case MODE_REREAD: { @@ -259,7 +248,8 @@ bool Ascii::DoUpdate() struct stat sb; if ( stat(Info().source, &sb) == -1 ) { - Error(Fmt("Could not get stat for %s", Info().source)); + Warning(Fmt("Could not get stat for %s", Info().source)); + file.close(); is_failed = true; return continue_on_failure; } @@ -295,19 +285,7 @@ bool Ascii::DoUpdate() file.close(); } - file.open(Info().source); - if ( ! file.is_open() ) - { - Error(Fmt("cannot open %s", Info().source)); - is_failed = true; - return continue_on_failure; - } - - if ( ReadHeader(false) == false ) - { - is_failed = true; - return continue_on_failure; - } + OpenFile(); break; } @@ -361,7 +339,7 @@ bool Ascii::DoUpdate() if ( (*fit).position > pos || (*fit).secondary_position > pos ) { - Error(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d", + Warning(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d", line.c_str(), pos, (*fit).position, (*fit).secondary_position)); for ( int i = 0; i < fpos; i++ ) @@ -426,14 +404,11 @@ bool Ascii::DoUpdate() bool Ascii::DoHeartbeat(double network_time, double current_time) { - printf("heartbeat\n"); - is_failed = false; - if ( ! file.is_open() ) OpenFile(); - //if ( is_failed ) - // return continue_on_failure; + if ( is_failed ) + return continue_on_failure; switch ( Info().mode ) { diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index 102736d24e..c9fd55f3d5 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -57,7 +57,6 @@ private: bool GetLine(string& str); bool OpenFile(); - string filename; ifstream file; time_t mtime; From 7bbaa911b0ba4e102a17fc8e0f882aeb6509c235 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 22 Feb 2017 00:02:51 -0500 Subject: [PATCH 173/288] I missed one test I needed to update for the kerberos commit that I just pushed. --- .../kerberos.log | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log index aee00fbf43..5645378a7e 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log +++ b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path kerberos -#open 2017-02-18-18-38-58 +#open 2017-02-22-05-02-14 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p request_type client service success error_msg from till cipher forwardable renewable client_cert_subject client_cert_fuid server_cert_subject server_cert_fuid auth_ticket new_ticket #types time string addr port addr port string string string bool string time time string bool bool string string string string string string -1429583645.478441 CHhAvVGS1DHFjwGM9 192.168.1.31 64889 192.168.1.32 88 TGS vladg/VLADG.NET krbtgt/VLADG.NET T - - 0.000000 aes256-cts-hmac-sha1-96 T F - - - - ea0f395c3823e8cc7216d82e2405b428 fa8064009b03606f84e475feca5dcd12 -#close 2017-02-18-18-38-58 +1429583645.478441 CHhAvVGS1DHFjwGM9 192.168.1.31 64889 192.168.1.32 88 TGS vladg/VLADG.NET krbtgt/VLADG.NET T - - 0.000000 aes256-cts-hmac-sha1-96 T F - - - - a09fbd89918320cc12a26d4f0c4e6aa2 396a9d9e8975cc5024a83c6e86101f06 +#close 2017-02-22-05-02-14 From ae6dbf17a23ecaf7ed2c38068d3fd8f3373928bb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 23 Feb 2017 09:59:48 -0800 Subject: [PATCH 174/288] Input Manager: tiny error message fix. --- src/input/Manager.cc | 2 +- .../scripts.base.frameworks.input.missing-enum/bro..stderr | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/input/Manager.cc b/src/input/Manager.cc index b84d822101..d029e38092 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -2380,7 +2380,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str()); if ( index == -1 ) { - Warning(i, "Value not '%s' for stream '%s' is not a valid enum.", + Warning(i, "Value '%s' for stream '%s' is not a valid enum.", enum_string.c_str(), i->name.c_str()); have_error = true; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr index 20207bcf94..8cd0c5ab6c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr @@ -1,2 +1,2 @@ -warning: Value not 'IdoNot::Exist' for stream 'enum' is not a valid enum. +warning: Value 'IdoNot::Exist' for stream 'enum' is not a valid enum. received termination signal From e0a72b6e5c7bd9ad0b839d8a4b9297bb8a0211f7 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 23 Feb 2017 10:18:57 -0800 Subject: [PATCH 175/288] Updating submodule. --- CHANGES | 8 ++++++++ VERSION | 2 +- aux/btest | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 94f310e6b8..b9cef9e78a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,12 @@ +2.5-76 | 2017-02-23 10:19:57 -0800 + + * Kerberos ciphertext had some additional ASN.1 content being lumped + in. (Vlad Grigorescu) + + * Updated Windows version detection to include Windows 10. (Fatema + Bannatwala, Keith Lehigh, Mike, Seth Hall). + 2.5-70 | 2017-02-20 00:20:02 -0500 * Rework the RADIUS base script. diff --git a/VERSION b/VERSION index b130560010..2087ec374d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-70 +2.5-76 diff --git a/aux/btest b/aux/btest index 9d5c7bcac9..2fb0e089b3 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 9d5c7bcac9b04710931bc8a42b545f0691561b2f +Subproject commit 2fb0e089b37cc62b4616c8d4309ee80fb7fc6a27 From 5b7636619984b5fd4a56e13f13bf973d014d2b59 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 23 Feb 2017 15:00:13 -0800 Subject: [PATCH 176/288] Plugin: add/fix documentation for HookSetupAnalyzerTree --- src/plugin/Plugin.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 54451dcfb6..49fa7cdd84 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -39,7 +39,7 @@ enum HookType { HOOK_DRAIN_EVENTS, //< Activates Plugin::HookDrainEvents() HOOK_UPDATE_NETWORK_TIME, //< Activates Plugin::HookUpdateNetworkTime. HOOK_BRO_OBJ_DTOR, //< Activates Plugin::HookBroObjDtor. - HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookAddToAnalyzerTree + HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookSetupAnalyzerTree // Meta hooks. META_HOOK_PRE, //< Activates Plugin::MetaHookPre(). @@ -642,6 +642,13 @@ protected: */ virtual void HookUpdateNetworkTime(double network_time); + /** + * Hook that executes when a connection's initial analyzer tree + * has been fully set up. The hook can manipulate the tree at this time, + * for example by adding further analyzers. + * + * @param conn The connection. + */ virtual void HookSetupAnalyzerTree(Connection *conn); /** From 5cf7803e685eb147808934a372538c6301035f97 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 23 Feb 2017 17:18:43 -0800 Subject: [PATCH 177/288] Fix some minor issues. From Daniel, thanks! --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/btest | 2 +- aux/plugins | 2 +- src/broker/Data.cc | 11 +++++------ src/broker/Data.h | 2 +- src/broker/Manager.cc | 11 ++++++----- src/broker/Manager.h | 10 +++++----- src/logging/Manager.h | 18 +++++++++--------- src/logging/WriterBackend.cc | 4 ++-- src/logging/WriterFrontend.h | 4 +--- 14 files changed, 36 insertions(+), 38 deletions(-) diff --git a/aux/binpac b/aux/binpac index a0990e61ad..0f1ecfa972 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3 +Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd diff --git a/aux/bro-aux b/aux/bro-aux index 7660b5f4c5..b1e75f6a21 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93 +Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3 diff --git a/aux/broccoli b/aux/broccoli index 765eab50f7..ed52e3414b 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67 +Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441 diff --git a/aux/broctl b/aux/broctl index f6d451520e..73dbc79ac2 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66 +Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5 diff --git a/aux/broker b/aux/broker index 68a36ed814..23def70c44 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da +Subproject commit 23def70c44128d19138029615dd154359286e111 diff --git a/aux/btest b/aux/btest index 32e582514a..2fb0e089b3 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d +Subproject commit 2fb0e089b37cc62b4616c8d4309ee80fb7fc6a27 diff --git a/aux/plugins b/aux/plugins index 0a2f021527..2322840bcd 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530 +Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb diff --git a/src/broker/Data.cc b/src/broker/Data.cc index 35d815b9e8..5da6f5d4e0 100644 --- a/src/broker/Data.cc +++ b/src/broker/Data.cc @@ -776,7 +776,6 @@ static broker::util::optional threading_val_to_data_internal(TypeT auto s = broker::address(reinterpret_cast(&tmp), broker::address::family::ipv6, broker::address::byte_order::network); - fprintf(stderr, "%d\n", val.subnet_val.length); return {broker::subnet(s, length)}; } @@ -863,7 +862,7 @@ struct threading_val_converter { using result_type = bool; TypeTag type; - threading::Value::_val& val; + threading::Value::_val& val; result_type operator()(bool a) { @@ -1053,9 +1052,9 @@ struct threading_val_converter { if ( type == TYPE_VECTOR ) { val.vector_val.size = a.size(); - val.vector_val.vals = new threading::Value* [val.set_val.size]; + val.vector_val.vals = new threading::Value* [val.vector_val.size]; - auto p = val.set_val.vals; + auto p = val.vector_val.vals; for ( auto& i : a ) *p++ = bro_broker::data_to_threading_val(move(i)); @@ -1079,8 +1078,8 @@ threading::Value* bro_broker::data_to_threading_val(broker::data d) if ( ! r ) return nullptr; - auto type = broker::get(*r->get(0));; - auto present = broker::get(*r->get(1));; + auto type = broker::get(*r->get(0)); + auto present = broker::get(*r->get(1)); auto data = *r->get(2); if ( ! (type && present) ) diff --git a/src/broker/Data.h b/src/broker/Data.h index 9e0c8120de..526304b00c 100644 --- a/src/broker/Data.h +++ b/src/broker/Data.h @@ -70,7 +70,7 @@ broker::util::optional threading_val_to_data(const threading::Valu /** * Convert a Bro threading::Field to a Broker data value. - * @param v a Bro threading::Field. + * @param f a Bro threading::Field. * @return a Broker data value if the Bro threading::Field could be converted to one. */ broker::data threading_field_to_data(const threading::Field* f); diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 76040b129c..eebcd2792f 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -214,9 +214,10 @@ bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flag return true; } -bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, - int num_fields, const threading::Field* const * fields, int flags, - const string& peer) +bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer, + const logging::WriterBackend::WriterInfo& info, + int num_fields, const threading::Field* const * fields, + int flags, const string& peer) { if ( ! Enabled() ) return false; @@ -1003,7 +1004,7 @@ bool bro_broker::Manager::ProcessCreateLog(broker::message msg) if ( ! broker::get(msg[idx]) ) { - reporter->Warning("got remote log create w/o stream id: %d", + reporter->Warning("got remote log create w/o stream id: %d", static_cast(broker::which(msg[idx]))); return false; } @@ -1023,7 +1024,7 @@ bool bro_broker::Manager::ProcessCreateLog(broker::message msg) if ( ! broker::get(msg[idx]) ) { - reporter->Warning("got remote log w/o writer id: %d", + reporter->Warning("got remote log create w/o writer id: %d", static_cast(broker::which(msg[idx]))); return false; } diff --git a/src/broker/Manager.h b/src/broker/Manager.h index 10d5019b74..d5701c56b1 100644 --- a/src/broker/Manager.h +++ b/src/broker/Manager.h @@ -169,20 +169,20 @@ public: const threading::Value* const * vals, int flags); /** - * Send a message to create a log stream to any interested peers. - * The log stream may or may not already exist on the receiving side. - * The topic name used is implicitly "bro/log/". + * Send a message to create a log stream to any interested peers. + * The log stream may or may not already exist on the receiving side. + * The topic name used is implicitly "bro/log/". * @param stream the stream to which the log entry belongs. * @param writer the writer to use for outputting this log entry. * @param info backend initialization information for the writer. * @param num_fields the number of fields the log has. - * @param fields the log's fields of size num_fields. + * @param fields the log's fields, of size num_fields. * @param flags tune the behavior of how the message is send. * See the Broker::SendFlags record type. * @param peer If given, send the message only to this peer. * @return true if the message is sent successfully. */ - bool CreateLog(EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, + bool CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const * fields, int flags, const string& peer = ""); /** diff --git a/src/logging/Manager.h b/src/logging/Manager.h index 3334942a3a..56626f39d3 100644 --- a/src/logging/Manager.h +++ b/src/logging/Manager.h @@ -133,9 +133,9 @@ public: * Create a new log writer frontend. This is exposed so that the * communication system can recreate remote log streams locally. * - * @param stream The enum value corresponding the log stream. + * @param id The enum value corresponding to the log stream. * - * @param writer The enum value corresponding the desired log writer. + * @param writer The enum value corresponding to the desired log writer. * * @param info A fully initialized object defining the * characteristics of the backend writer instance. The method takes @@ -143,8 +143,8 @@ public: * * @param num_fields The number of log fields to write. * - * @param vals An arry of log fields to write, of size num_fields. - * The method takes ownership of the arry. + * @param vals An array of log fields to write, of size num_fields. + * The method takes ownership of the array. * * @return Returns true if the writer was successfully created. */ @@ -154,18 +154,18 @@ public: /** * Writes out log entries that have already passed through all * filters (and have raised any events). This is meant called for logs - * received alrready processed from remote. + * received already processed from remote. * - * @param stream The enum value corresponding the log stream. + * @param stream The enum value corresponding to the log stream. * - * @param writer The enum value corresponding the desired log writer. + * @param writer The enum value corresponding to the desired log writer. * * @param path The path of the target log stream to write to. * * @param num_fields The number of log values to write. * - * @param vals An arry of log values to write, of size num_fields. - * The method takes ownership of the arry. + * @param vals An array of log values to write, of size num_fields. + * The method takes ownership of the array. */ bool WriteFromRemote(EnumVal* stream, EnumVal* writer, string path, int num_fields, threading::Value** vals); diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc index e2afd360e7..ebf5165169 100644 --- a/src/logging/WriterBackend.cc +++ b/src/logging/WriterBackend.cc @@ -130,11 +130,11 @@ broker::data WriterBackend::WriterInfo::ToBroker() const auto t = broker::table(); for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i ) - { + { auto key = std::string(i->first); auto value = std::string(i->second); t.insert(std::make_pair(key, value)); - } + } auto bconfig = broker::record::field(move(t)); diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h index c39d2bdf3c..ae37613261 100644 --- a/src/logging/WriterFrontend.h +++ b/src/logging/WriterFrontend.h @@ -34,8 +34,6 @@ public: * * info: The meta information struct for the writer. * - * writer_name: A descriptive name for the writer's type. - * * local: If true, the writer will instantiate a local backend. * * remote: If true, the writer will forward logs to remote @@ -46,7 +44,7 @@ public: * * Frontends must only be instantiated by the main thread. */ - WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int arg_remote_flags); + WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int remote_flags); /** * Destructor. From 75744d22bc1d556c3c9a42cb458af8ce181f1536 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 23 Feb 2017 23:13:12 -0500 Subject: [PATCH 178/288] Input's ascii reader is now more resilient. By default, the ASCII reader does not fail on errors anymore. If there is a problem parsing a line, a reporter warning is written and parsing continues. If the file is missing or can't be read, the input thread just tries again on the next heartbeat. Options have been added to recreate the previous behavior... const InputAscii::fail_on_invalid_lines: bool; and const InputAscii::fail_on_file_problem: bool; They are both set to `F` by default which makes the input readers resilient to failure. --- .../base/frameworks/input/readers/ascii.bro | 13 +++ src/input/readers/ascii/Ascii.cc | 80 ++++++++++++------- src/input/readers/ascii/Ascii.h | 7 +- src/input/readers/ascii/ascii.bif | 2 + .../bro..stderr | 4 + .../bro..stdout | 2 + .../bro..stderr | 4 +- .../input/missing-file-initially.bro | 47 +++++++++++ 8 files changed, 127 insertions(+), 32 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout create mode 100644 testing/btest/scripts/base/frameworks/input/missing-file-initially.bro diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro index 1b486ddba0..521e8d4ca3 100644 --- a/scripts/base/frameworks/input/readers/ascii.bro +++ b/scripts/base/frameworks/input/readers/ascii.bro @@ -18,4 +18,17 @@ export { ## String to use for an unset &optional field. const unset_field = Input::unset_field &redef; + + ## Choose if the ascii input reader should globally + ## fail on invalid lines and continue parsing afterward. + ## Individual readers can use a different value. + const fail_on_invalid_lines = F &redef; + + ## Set to true if you would like the old behavior of the + ## ascii reader where the reader thread would die if any file + ## errors occur (like permissions problems or file missing). + ## The default behavior is to continue attempting to open and read + ## the file even in light of problems. + ## Individual readers can use a different value. + const fail_on_file_problem = F &redef; } diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 2f91ebe27a..5621a87eb4 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -61,7 +61,6 @@ void Ascii::DoClose() bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { - continue_on_failure = true; is_failed = false; separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(), @@ -76,6 +75,9 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(), BifConst::InputAscii::unset_field->Len()); + fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines; + fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem; + // Set per-filter configuration options. for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) { @@ -90,6 +92,12 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f else if ( strcmp(i->first, "unset_field") == 0 ) unset_field.assign(i->second); + + else if ( strcmp(i->first, "fail_on_invalid_lines") == 0 ) + fail_on_invalid_lines = (strncmp(i->second, "T", 1) == 0); + + else if ( strcmp(i->first, "fail_on_file_problem") == 0 ) + fail_on_file_problem = (strncmp(i->second, "T", 1) == 0); } if ( separator.size() != 1 ) @@ -101,34 +109,40 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); formatter = unique_ptr(new formatter::Ascii(this, sep_info)); - OpenFile(); - - if ( is_failed ) - return continue_on_failure; - DoUpdate(); return true; } +void Ascii::FailWarn(bool is_error, const char *msg) + { + if ( is_error ) + Error(msg); + else + Warning(msg); + } + bool Ascii::OpenFile() { + if ( file.is_open() && ! is_failed ) + return true; + file.open(Info().source); if ( ! file.is_open() ) { if ( ! is_failed ) - Warning(Fmt("Init: cannot open %s", Info().source)); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source)); is_failed = true; - return continue_on_failure; + return !fail_on_file_problem; } if ( ReadHeader(false) == false ) { if ( ! is_failed ) - Warning(Fmt("Init: cannot open %s; headers are incorrect", Info().source)); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; headers are incorrect", Info().source)); file.close(); is_failed = true; - return continue_on_failure; + return !fail_on_file_problem; } is_failed = false; @@ -141,7 +155,7 @@ bool Ascii::ReadHeader(bool useCached) string line; map ifields; - if ( headerline == "" ) + if ( ! useCached ) { if ( ! GetLine(line) ) return false; @@ -184,11 +198,12 @@ bool Ascii::ReadHeader(bool useCached) continue; } - Warning(Fmt("Did not find requested field %s in input data file %s.", - field->name, Info().source)); + if ( ! is_failed ) + FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.", + field->name, Info().source)); is_failed = true; - return continue_on_failure; + return !fail_on_file_problem; } FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]); @@ -198,11 +213,12 @@ bool Ascii::ReadHeader(bool useCached) map::iterator fit2 = ifields.find(field->secondary_name); if ( fit2 == ifields.end() ) { - Warning(Fmt("Could not find requested port type field %s in input data file.", - field->secondary_name)); + if ( ! is_failed ) + FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.", + field->secondary_name)); is_failed = true; - return continue_on_failure; + return !fail_on_file_problem; } f.secondary_position = ifields[field->secondary_name]; @@ -241,6 +257,9 @@ bool Ascii::GetLine(string& str) // read the entire file and send appropriate thingies back to InputMgr bool Ascii::DoUpdate() { + if ( ! OpenFile() ) + return !fail_on_file_problem; + switch ( Info().mode ) { case MODE_REREAD: { @@ -248,10 +267,11 @@ bool Ascii::DoUpdate() struct stat sb; if ( stat(Info().source, &sb) == -1 ) { - Warning(Fmt("Could not get stat for %s", Info().source)); + if ( ! is_failed ) + FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source)); file.close(); is_failed = true; - return continue_on_failure; + return !fail_on_file_problem; } if ( sb.st_mtime <= mtime ) // no change @@ -276,7 +296,7 @@ bool Ascii::DoUpdate() if ( !ReadHeader(true) ) { is_failed = true; - return continue_on_failure; // header reading failed + return !fail_on_file_problem; // header reading failed } break; @@ -339,7 +359,7 @@ bool Ascii::DoUpdate() if ( (*fit).position > pos || (*fit).secondary_position > pos ) { - Warning(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d", + FailWarn(fail_on_invalid_lines, Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d", line.c_str(), pos, (*fit).position, (*fit).secondary_position)); for ( int i = 0; i < fpos; i++ ) @@ -347,8 +367,15 @@ bool Ascii::DoUpdate() delete [] fields; - is_failed = true; - return continue_on_failure; + if ( fail_on_invalid_lines ) + { + return false; + } + else + { + error = true; + break; + } } Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype); @@ -404,11 +431,8 @@ bool Ascii::DoUpdate() bool Ascii::DoHeartbeat(double network_time, double current_time) { - if ( ! file.is_open() ) - OpenFile(); - - if ( is_failed ) - return continue_on_failure; + if ( ! OpenFile() ) + return !fail_on_file_problem; switch ( Info().mode ) { diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index c9fd55f3d5..9300382ca2 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -56,6 +56,8 @@ private: bool ReadHeader(bool useCached); bool GetLine(string& str); bool OpenFile(); + void FailWarn(bool is_error, const char *msg); + ifstream file; time_t mtime; @@ -71,8 +73,11 @@ private: string set_separator; string empty_field; string unset_field; + bool fail_on_invalid_lines; + bool fail_on_file_problem; - bool continue_on_failure; + // this is an internal indicator in case the read is currently in a failed state + // it's used by the options for continuing instead of failing and killing the reader. bool is_failed; std::unique_ptr formatter; diff --git a/src/input/readers/ascii/ascii.bif b/src/input/readers/ascii/ascii.bif index 8bb3a96492..80ff4611e7 100644 --- a/src/input/readers/ascii/ascii.bif +++ b/src/input/readers/ascii/ascii.bif @@ -5,3 +5,5 @@ const separator: string; const set_separator: string; const empty_field: string; const unset_field: string; +const fail_on_invalid_lines: bool; +const fail_on_file_problem: bool; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr new file mode 100644 index 0000000000..6c4d0f0194 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr @@ -0,0 +1,4 @@ +warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat +error: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat +error: ../does-not-exist.dat/Input::READER_ASCII: terminating thread +received termination signal diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout new file mode 100644 index 0000000000..d96c6d457d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout @@ -0,0 +1,2 @@ +now it does +and more! diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr index 5093925d2d..f5d074fe7e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr @@ -1,4 +1,2 @@ -error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat -error: does-not-exist.dat/Input::READER_ASCII: Init failed -error: does-not-exist.dat/Input::READER_ASCII: terminating thread +warning: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat received termination signal diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro new file mode 100644 index 0000000000..a7128a4455 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro @@ -0,0 +1,47 @@ +# This tests files that don't exist initially and then do later during +# runtime to make sure the ascii reader is resilient to files missing. +# It does a second test at the same time which configures the old +# failing behavior. + +# @TEST-EXEC: btest-bg-run bro bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff bro/.stdout +# @TEST-EXEC: btest-diff bro/.stderr + +@TEST-START-FILE does-exist.dat +#separator \x09 +#fields line +#types string +now it does +and more! +@TEST-END-FILE + +redef exit_only_after_terminate = T; + +@load base/frameworks/input + +module A; + +type Val: record { + line: string; +}; + +event line(description: Input::EventDescription, tpe: Input::Event, v: Val) + { + print v$line; + } + +event line2(description: Input::EventDescription, tpe: Input::Event, v: Val) + { + print "DONT PRINT THIS LINE"; + } + + +event bro_init() + { + Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]); + Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T, + $config=table(["fail_on_file_problem"] = "T")]); + + system("sleep 2; mv ../does-exist.dat ../does-not-exist.dat;"); + } From 50781590804ee0ba2e3d54b186478f4613fa61a0 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 23 Feb 2017 23:13:48 -0500 Subject: [PATCH 179/288] Tiny fix to correct a warning message. --- src/input/Manager.cc | 2 +- .../scripts.base.frameworks.input.missing-enum/bro..stderr | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/input/Manager.cc b/src/input/Manager.cc index b84d822101..d029e38092 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -2380,7 +2380,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str()); if ( index == -1 ) { - Warning(i, "Value not '%s' for stream '%s' is not a valid enum.", + Warning(i, "Value '%s' for stream '%s' is not a valid enum.", enum_string.c_str(), i->name.c_str()); have_error = true; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr index 20207bcf94..8cd0c5ab6c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr @@ -1,2 +1,2 @@ -warning: Value not 'IdoNot::Exist' for stream 'enum' is not a valid enum. +warning: Value 'IdoNot::Exist' for stream 'enum' is not a valid enum. received termination signal From 22c89a83f5cf95ed77dcde11898a7bc55df54499 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 24 Feb 2017 09:02:16 -0800 Subject: [PATCH 180/288] Update submodule [nomail] --- aux/bro-aux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/bro-aux b/aux/bro-aux index b1e75f6a21..9f33570d53 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3 +Subproject commit 9f33570d53e1b970d7905e305940fd55637c5c76 From 0f695a7316fe2586fb1010675f45d549ffd00568 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Sat, 25 Feb 2017 21:53:02 -0600 Subject: [PATCH 181/288] Fix a test that sometimes fails on FreeBSD --- testing/btest/istate/pybroccoli.py | 1 + 1 file changed, 1 insertion(+) diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py index 7600c2b7d4..0d7106d592 100644 --- a/testing/btest/istate/pybroccoli.py +++ b/testing/btest/istate/pybroccoli.py @@ -4,6 +4,7 @@ # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so # # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro +# @TEST-EXEC: sleep 2 # @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py # @TEST-EXEC: btest-bg-wait -k 20 # @TEST-EXEC: btest-diff bro/.stdout From 58a2d06c93189cea3f91efe2566fbe1703b9dc72 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 27 Feb 2017 08:22:16 -0800 Subject: [PATCH 182/288] Another fix for the new Broker-based remote logging. --- src/broker/Data.cc | 7 ++-- .../Baseline/broker.remote_log/recv.test.log | 4 +-- .../Baseline/broker.remote_log/send.test.log | 4 +-- testing/btest/broker/remote_log.test | 33 ++++++++++--------- testing/btest/broker/remote_log_types.test | 3 +- 5 files changed, 28 insertions(+), 23 deletions(-) diff --git a/src/broker/Data.cc b/src/broker/Data.cc index 5da6f5d4e0..6420144193 100644 --- a/src/broker/Data.cc +++ b/src/broker/Data.cc @@ -1080,16 +1080,19 @@ threading::Value* bro_broker::data_to_threading_val(broker::data d) auto type = broker::get(*r->get(0)); auto present = broker::get(*r->get(1)); - auto data = *r->get(2); + auto data = r->get(2); if ( ! (type && present) ) return nullptr; + if ( *present && ! data ) + return nullptr; + auto tv = new threading::Value; tv->type = static_cast(*type); tv->present = *present; - if ( present && ! broker::visit(threading_val_converter{tv->type, tv->val}, data) ) + if ( *present && ! broker::visit(threading_val_converter{tv->type, tv->val}, *data) ) { delete tv; return nullptr; diff --git a/testing/btest/Baseline/broker.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log index 0d6dae756c..b79e1b53b9 100644 --- a/testing/btest/Baseline/broker.remote_log/recv.test.log +++ b/testing/btest/Baseline/broker.remote_log/recv.test.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path test -#open 2015-01-26-22-47-11 +#open 2017-02-27-16-21-20 #fields msg num #types string count ping 0 @@ -12,4 +12,4 @@ ping 2 ping 3 ping 4 ping 5 -#close 2015-01-26-22-47-11 +#close 2017-02-27-16-21-20 diff --git a/testing/btest/Baseline/broker.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log index 0d6dae756c..93862c656b 100644 --- a/testing/btest/Baseline/broker.remote_log/send.test.log +++ b/testing/btest/Baseline/broker.remote_log/send.test.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path test -#open 2015-01-26-22-47-11 +#open 2017-02-27-16-21-19 #fields msg num #types string count ping 0 @@ -12,4 +12,4 @@ ping 2 ping 3 ping 4 ping 5 -#close 2015-01-26-22-47-11 +#close 2017-02-27-16-21-20 diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test index 598f3f6e46..df8f8d8d8a 100644 --- a/testing/btest/broker/remote_log.test +++ b/testing/btest/broker/remote_log.test @@ -45,14 +45,14 @@ redef exit_only_after_terminate = T; event bro_init() { Broker::subscribe_to_logs("bro/log/"); - Broker::subscribe_to_events("bro/event/"); + Broker::subscribe_to_events("bro/event/"); Broker::listen(broker_port, "127.0.0.1"); } event quit_receiver() - { - terminate(); - } + { + terminate(); + } @TEST-END-FILE @@ -63,21 +63,22 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; event bro_init() - { - Broker::enable_remote_logs(Test::LOG); - Broker::connect("127.0.0.1", broker_port, 1secs); - } + { + Broker::enable_remote_logs(Test::LOG); + Broker::publish_topic("bro/event/"); + Broker::connect("127.0.0.1", broker_port, 1secs); + } global n = 0; event do_write() { if ( n == 6 ) - { - local args = Broker::event_args(quit_receiver); - Broker::send_event("bro/event/", args); - schedule 1sec { quit_sender() }; - } + { + local args = Broker::event_args(quit_receiver); + Broker::send_event("bro/event/", args); + schedule 1sec { quit_sender() }; + } else { Log::write(Test::LOG, [$msg = "ping", $num = n]); @@ -87,9 +88,9 @@ event do_write() } event quit_sender() - { - terminate(); - } + { + terminate(); + } event Broker::outgoing_connection_established(peer_address: string, peer_port: port, diff --git a/testing/btest/broker/remote_log_types.test b/testing/btest/broker/remote_log_types.test index 9089e087cb..48011a8c07 100644 --- a/testing/btest/broker/remote_log_types.test +++ b/testing/btest/broker/remote_log_types.test @@ -60,7 +60,7 @@ redef exit_only_after_terminate = T; event bro_init() { Broker::subscribe_to_logs("bro/log/"); - Broker::subscribe_to_events("bro/event/"); + Broker::subscribe_to_events("bro/event/"); Broker::listen(broker_port, "127.0.0.1"); } @@ -80,6 +80,7 @@ redef exit_only_after_terminate = T; event bro_init() { Broker::enable_remote_logs(Test::LOG); + Broker::publish_topic("bro/event/"); Broker::connect("127.0.0.1", broker_port, 1secs); } From 01a39436353d6df202b152e307b6453c990c7fd2 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 28 Feb 2017 12:40:01 -0500 Subject: [PATCH 183/288] Do some updates to remove build time warnings. The linker was complaining about linking files that didn't have any symbols. These were actually empty files so I just got rid of them and removed references to them. --- src/analyzer/protocol/ayiya/AYIYA.cc | 1 - src/analyzer/protocol/ayiya/CMakeLists.txt | 1 - src/analyzer/protocol/ayiya/ayiya.pac | 4 ---- src/analyzer/protocol/ayiya/events.bif | 0 src/analyzer/protocol/gssapi/CMakeLists.txt | 2 +- src/analyzer/protocol/gssapi/gssapi.pac | 1 - src/analyzer/protocol/gssapi/types.bif | 1 - src/analyzer/protocol/pia/CMakeLists.txt | 1 - src/analyzer/protocol/pia/PIA.cc | 2 -- src/analyzer/protocol/pia/events.bif | 0 src/analyzer/protocol/zip/CMakeLists.txt | 1 - src/analyzer/protocol/zip/ZIP.cc | 2 -- src/analyzer/protocol/zip/events.bif | 0 .../canonified_loaded_scripts.log | 8 ++------ .../canonified_loaded_scripts.log | 8 ++------ testing/btest/Baseline/plugins.hooks/output | 20 ++++++------------- 16 files changed, 11 insertions(+), 41 deletions(-) delete mode 100644 src/analyzer/protocol/ayiya/events.bif delete mode 100644 src/analyzer/protocol/gssapi/types.bif delete mode 100644 src/analyzer/protocol/pia/events.bif delete mode 100644 src/analyzer/protocol/zip/events.bif diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc index a1e00e9b38..9c4ac237ab 100644 --- a/src/analyzer/protocol/ayiya/AYIYA.cc +++ b/src/analyzer/protocol/ayiya/AYIYA.cc @@ -1,7 +1,6 @@ #include "AYIYA.h" #include "Func.h" -#include "events.bif.h" using namespace analyzer::ayiya; diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt index ae23c25e2d..50113b72d7 100644 --- a/src/analyzer/protocol/ayiya/CMakeLists.txt +++ b/src/analyzer/protocol/ayiya/CMakeLists.txt @@ -5,6 +5,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro AYIYA) bro_plugin_cc(AYIYA.cc Plugin.cc) -bro_plugin_bif(events.bif) bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac index b1f3a6ef77..ff0af4d47c 100644 --- a/src/analyzer/protocol/ayiya/ayiya.pac +++ b/src/analyzer/protocol/ayiya/ayiya.pac @@ -2,10 +2,6 @@ %include binpac.pac %include bro.pac -%extern{ -#include "events.bif.h" -%} - analyzer AYIYA withcontext { connection: AYIYA_Conn; flow: AYIYA_Flow; diff --git a/src/analyzer/protocol/ayiya/events.bif b/src/analyzer/protocol/ayiya/events.bif deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt index 222c3cdf4e..d826d36bf7 100644 --- a/src/analyzer/protocol/gssapi/CMakeLists.txt +++ b/src/analyzer/protocol/gssapi/CMakeLists.txt @@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro GSSAPI) bro_plugin_cc(GSSAPI.cc Plugin.cc) -bro_plugin_bif(types.bif events.bif) +bro_plugin_bif(events.bif) bro_plugin_pac( gssapi.pac gssapi-protocol.pac diff --git a/src/analyzer/protocol/gssapi/gssapi.pac b/src/analyzer/protocol/gssapi/gssapi.pac index 07759e8daa..55b7fe4255 100644 --- a/src/analyzer/protocol/gssapi/gssapi.pac +++ b/src/analyzer/protocol/gssapi/gssapi.pac @@ -5,7 +5,6 @@ #include "analyzer/Manager.h" #include "analyzer/Analyzer.h" -#include "types.bif.h" #include "events.bif.h" %} diff --git a/src/analyzer/protocol/gssapi/types.bif b/src/analyzer/protocol/gssapi/types.bif deleted file mode 100644 index 996cee9ad8..0000000000 --- a/src/analyzer/protocol/gssapi/types.bif +++ /dev/null @@ -1 +0,0 @@ -# Empty. diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt index ff55bcf0aa..02397f7aff 100644 --- a/src/analyzer/protocol/pia/CMakeLists.txt +++ b/src/analyzer/protocol/pia/CMakeLists.txt @@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro PIA) bro_plugin_cc(PIA.cc Plugin.cc) -bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc index 7d73624dd0..8f5e23a1ce 100644 --- a/src/analyzer/protocol/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -3,8 +3,6 @@ #include "analyzer/protocol/tcp/TCP_Flags.h" #include "analyzer/protocol/tcp/TCP_Reassembler.h" -#include "events.bif.h" - using namespace analyzer::pia; PIA::PIA(analyzer::Analyzer* arg_as_analyzer) diff --git a/src/analyzer/protocol/pia/events.bif b/src/analyzer/protocol/pia/events.bif deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt index 814119f9f7..40c64afd6e 100644 --- a/src/analyzer/protocol/zip/CMakeLists.txt +++ b/src/analyzer/protocol/zip/CMakeLists.txt @@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro ZIP) bro_plugin_cc(ZIP.cc Plugin.cc) -bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc index d14df95673..d44c6353cd 100644 --- a/src/analyzer/protocol/zip/ZIP.cc +++ b/src/analyzer/protocol/zip/ZIP.cc @@ -2,8 +2,6 @@ #include "ZIP.h" -#include "events.bif.h" - using namespace analyzer::zip; ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) diff --git a/src/analyzer/protocol/zip/events.bif b/src/analyzer/protocol/zip/events.bif deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 6587112ef2..d53b14ce58 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2016-11-02-17-25-26 +#open 2017-02-28-17-15-30 #fields name #types string scripts/base/init-bare.bro @@ -58,7 +58,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/top-k.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro - build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro @@ -74,7 +73,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro - build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro @@ -96,7 +94,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro @@ -150,7 +147,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro - build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro @@ -171,4 +167,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2016-11-02-17-25-26 +#close 2017-02-28-17-15-30 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 7a7b127752..e11edefe16 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2016-11-02-17-25-18 +#open 2017-02-28-17-19-41 #fields name #types string scripts/base/init-bare.bro @@ -58,7 +58,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/top-k.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro - build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro @@ -74,7 +73,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro - build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro @@ -96,7 +94,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro @@ -150,7 +147,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro - build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro @@ -359,4 +355,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2016-11-02-17-25-18 +#close 2017-02-28-17-19-41 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index c291302748..420d20ae12 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -416,7 +416,6 @@ 0.000000 MetaHookPost LoadFile(../main) -> -1 0.000000 MetaHookPost LoadFile(../plugin) -> -1 0.000000 MetaHookPost LoadFile(./Bro_ARP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_AYIYA.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_BackDoor.events.bif.bro) -> -1 @@ -440,7 +439,6 @@ 0.000000 MetaHookPost LoadFile(./Bro_FileHash.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_Finger.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_GSSAPI.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_GTPv1.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_Gnutella.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_HTTP.events.bif.bro) -> -1 @@ -465,7 +463,6 @@ 0.000000 MetaHookPost LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_PE.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_PIA.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_POP3.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_RADIUS.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_RDP.events.bif.bro) -> -1 @@ -528,7 +525,6 @@ 0.000000 MetaHookPost LoadFile(./Bro_X509.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_XMPP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_ZIP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./acld) -> -1 0.000000 MetaHookPost LoadFile(./addrs) -> -1 0.000000 MetaHookPost LoadFile(./analyzer.bif.bro) -> -1 @@ -968,7 +964,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1098,7 +1094,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1137,7 +1133,6 @@ 0.000000 MetaHookPre LoadFile(../main) 0.000000 MetaHookPre LoadFile(../plugin) 0.000000 MetaHookPre LoadFile(./Bro_ARP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_AYIYA.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_AsciiReader.ascii.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_AsciiWriter.ascii.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_BackDoor.events.bif.bro) @@ -1161,7 +1156,6 @@ 0.000000 MetaHookPre LoadFile(./Bro_FileHash.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_Finger.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_GSSAPI.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_GSSAPI.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_GTPv1.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_Gnutella.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_HTTP.events.bif.bro) @@ -1186,7 +1180,6 @@ 0.000000 MetaHookPre LoadFile(./Bro_NetBIOS.functions.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_NoneWriter.none.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_PE.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_PIA.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_POP3.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_RADIUS.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_RDP.events.bif.bro) @@ -1249,7 +1242,6 @@ 0.000000 MetaHookPre LoadFile(./Bro_X509.functions.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_XMPP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_ZIP.events.bif.bro) 0.000000 MetaHookPre LoadFile(./acld) 0.000000 MetaHookPre LoadFile(./addrs) 0.000000 MetaHookPre LoadFile(./analyzer.bif.bro) @@ -1688,7 +1680,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1818,7 +1810,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() From 9341ff801c2bc0445553305a67d5c78442c0dbf3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 2 Mar 2017 08:53:38 -0800 Subject: [PATCH 184/288] Move threading to c++11 primitives (mostly). This moves all threading code in Bro from pthreads to the c++11 primitives, which make for shorter, easier to use, and less error-prone code. pthreads is still used in 2 places in Bro currently. BasicThread uses two bits of functionality that are not available using the c++ API (setting thread names & setting signal masks). Since all c++ implementations that I am aware of still use an underlying pthreads implementation, we just use native_handle to access the underlying pthreads implementation for these cases. I do not expect this to lead to problems in the forseable future. If we ever encounter a platform where a different thread architecture is used, we might have to change that around. This code is guarded by static_asserts, so we will notice if a platform uses a different implementation. sqlite also uses pthreads directly. --- src/input/readers/raw/Plugin.cc | 12 +--- src/input/readers/raw/Plugin.h | 8 +-- src/input/readers/raw/Raw.cc | 30 +++------ src/input/readers/raw/Raw.h | 6 +- src/threading/BasicThread.cc | 21 ++++--- src/threading/BasicThread.h | 10 +-- src/threading/MsgThread.h | 2 - src/threading/Queue.h | 104 +++++++++++--------------------- 8 files changed, 70 insertions(+), 123 deletions(-) diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc index c7af84e34e..e16a233fe6 100644 --- a/src/input/readers/raw/Plugin.cc +++ b/src/input/readers/raw/Plugin.cc @@ -8,7 +8,6 @@ using namespace plugin::Bro_RawReader; Plugin::Plugin() { - init = false; } plugin::Configuration Plugin::Configure() @@ -23,21 +22,14 @@ plugin::Configuration Plugin::Configure() void Plugin::InitPreScript() { - if ( pthread_mutex_init(&fork_mutex, 0) != 0 ) - reporter->FatalError("cannot initialize raw reader's mutex"); - - init = true; } void Plugin::Done() { - pthread_mutex_destroy(&fork_mutex); - init = false; } -pthread_mutex_t* Plugin::ForkMutex() +std::unique_lock Plugin::ForkMutex() { - assert(init); - return &fork_mutex; + return std::unique_lock(fork_mutex, std::defer_lock); } diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h index 59a5dfd2be..7b621c9440 100644 --- a/src/input/readers/raw/Plugin.h +++ b/src/input/readers/raw/Plugin.h @@ -1,8 +1,9 @@ -// See the file in the main distribution directory for copyright. +// See the file in the main distribution directory for copyright. #include "plugin/Plugin.h" #include "Raw.h" +#include namespace plugin { namespace Bro_RawReader { @@ -16,11 +17,10 @@ public: virtual void InitPreScript(); virtual void Done(); - pthread_mutex_t * ForkMutex(); + std::unique_lock ForkMutex(); private: - bool init; - pthread_mutex_t fork_mutex; + std::mutex fork_mutex; }; diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc index cfa7b72602..c892c207cc 100644 --- a/src/input/readers/raw/Raw.cc +++ b/src/input/readers/raw/Raw.cc @@ -96,24 +96,16 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags) } -bool Raw::LockForkMutex() +std::unique_lock Raw::AcquireForkMutex() { - int res = pthread_mutex_lock(plugin::Bro_RawReader::plugin.ForkMutex()); - if ( res == 0 ) - return true; - - Error(Fmt("cannot lock fork mutex: %d", res)); - return false; + auto lock = plugin::Bro_RawReader::plugin.ForkMutex(); + try { + lock.lock(); + } catch(const std::system_error& e) { + reporter->FatalErrorWithCore("cannot lock fork mutex: %s", e.what()); } -bool Raw::UnlockForkMutex() - { - int res = pthread_mutex_unlock(plugin::Bro_RawReader::plugin.ForkMutex()); - if ( res == 0 ) - return true; - - Error(Fmt("cannot unlock fork mutex: %d", res)); - return false; + return lock; } bool Raw::Execute() @@ -126,12 +118,10 @@ bool Raw::Execute() // never crops up... ("never" meaning I haven't seen in it in // hundreds of tests using 50+ threads where before I'd see the issue // w/ just 2 threads ~33% of the time). - if ( ! LockForkMutex() ) - return false; + auto lock = AcquireForkMutex(); if ( pipe(pipes) != 0 || pipe(pipes+2) || pipe(pipes+4) ) { - UnlockForkMutex(); Error(Fmt("Could not open pipe: %d", errno)); return false; } @@ -139,7 +129,6 @@ bool Raw::Execute() childpid = fork(); if ( childpid < 0 ) { - UnlockForkMutex(); Error(Fmt("Could not create child process: %d", errno)); return false; } @@ -208,8 +197,7 @@ bool Raw::Execute() } } - if ( ! UnlockForkMutex() ) - return false; + lock.unlock(); ClosePipeEnd(stdout_out); diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h index 2a166ae322..ec50ade8fe 100644 --- a/src/input/readers/raw/Raw.h +++ b/src/input/readers/raw/Raw.h @@ -4,8 +4,8 @@ #define INPUT_READERS_RAW_H #include -#include #include +#include #include "input/ReaderBackend.h" @@ -37,8 +37,7 @@ protected: private: void ClosePipeEnd(int i); bool SetFDFlags(int fd, int cmd, int flags); - bool LockForkMutex(); - bool UnlockForkMutex(); + std::unique_lock AcquireForkMutex(); bool OpenInput(); bool CloseInput(); @@ -87,7 +86,6 @@ private: }; static const int block_size; - static pthread_mutex_t fork_mutex; }; } diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc index 86d7d7b560..ea6c8c433b 100644 --- a/src/threading/BasicThread.cc +++ b/src/threading/BasicThread.cc @@ -5,6 +5,7 @@ #include "bro-config.h" #include "BasicThread.h" #include "Manager.h" +#include "pthread.h" #ifdef HAVE_LINUX #include @@ -21,7 +22,6 @@ BasicThread::BasicThread() started = false; terminating = false; killed = false; - pthread = 0; buf_len = STD_FMT_BUF_LEN; buf = (char*) safe_malloc(buf_len); @@ -50,6 +50,7 @@ void BasicThread::SetName(const char* arg_name) void BasicThread::SetOSName(const char* arg_name) { + static_assert(std::is_same::value, "libstdc++ doesn't use pthread_t"); #ifdef HAVE_LINUX prctl(PR_SET_NAME, arg_name, 0, 0, 0); @@ -60,7 +61,7 @@ void BasicThread::SetOSName(const char* arg_name) #endif #ifdef FREEBSD - pthread_set_name_np(pthread_self(), arg_name, arg_name); + pthread_set_name_np(thread.native_handle(), arg_name, arg_name); #endif } @@ -108,9 +109,7 @@ void BasicThread::Start() started = true; - int err = pthread_create(&pthread, 0, BasicThread::launcher, this); - if ( err != 0 ) - reporter->FatalError("Cannot create thread %s: %s", name, Strerror(err)); + thread = std::thread(&BasicThread::launcher, this); DBG_LOG(DBG_THREADING, "Started thread %s", name); @@ -147,17 +146,18 @@ void BasicThread::Join() if ( ! started ) return; - if ( ! pthread ) + if ( ! thread.joinable() ) return; assert(terminating); - if ( pthread_join(pthread, 0) != 0 ) - reporter->FatalError("Failure joining thread %s", name); + try { + thread.join(); + } catch(const std::system_error& e) { + reporter->FatalError("Failure joining thread %s with error %s", name, e.what()); + } DBG_LOG(DBG_THREADING, "Joined with thread %s", name); - - pthread = 0; } void BasicThread::Kill() @@ -180,6 +180,7 @@ void BasicThread::Done() void* BasicThread::launcher(void *arg) { + static_assert(std::is_same::value, "libstdc++ doesn't use pthread_t"); BasicThread* thread = (BasicThread *)arg; // Block signals in thread. We handle signals only in the main diff --git a/src/threading/BasicThread.h b/src/threading/BasicThread.h index 6386e5ae66..ea829fce54 100644 --- a/src/threading/BasicThread.h +++ b/src/threading/BasicThread.h @@ -2,8 +2,7 @@ #ifndef THREADING_BASICTHREAD_H #define THREADING_BASICTHREAD_H -#include -#include +#include #include "util.h" @@ -35,6 +34,9 @@ public: */ BasicThread(); + BasicThread(BasicThread const&) = delete; + BasicThread& operator =(BasicThread const&) = delete; + /** * Returns a descriptive name for the thread. If not set via * SetName(). If not set, a default name is choosen automatically. @@ -192,11 +194,11 @@ protected: void Done(); private: - // pthread entry function. + // thread entry function. static void* launcher(void *arg); const char* name; - pthread_t pthread; + std::thread thread; bool started; // Set to to true once running. bool terminating; // Set to to true to signal termination. bool killed; // Set to true once forcefully killed. diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h index 96da68e1d0..480ab2974c 100644 --- a/src/threading/MsgThread.h +++ b/src/threading/MsgThread.h @@ -2,8 +2,6 @@ #ifndef THREADING_MSGTHREAD_H #define THREADING_MSGTHREAD_H -#include - #include "DebugLogger.h" #include "BasicThread.h" diff --git a/src/threading/Queue.h b/src/threading/Queue.h index 6d21bfd998..48b41ad81a 100644 --- a/src/threading/Queue.h +++ b/src/threading/Queue.h @@ -1,7 +1,8 @@ #ifndef THREADING_QUEUE_H #define THREADING_QUEUE_H -#include +#include +#include #include #include #include @@ -22,7 +23,7 @@ namespace threading { * * All Queue instances must be instantiated by Bro's main thread. * - * TODO: Unclear how critical performance is for this qeueue. We could like;y + * TODO: Unclear how critical performance is for this qeueue. We could likely * optimize it further if helpful. */ template @@ -71,9 +72,10 @@ public: */ bool MaybeReady() { return (num_reads != num_writes); } - /** Wake up the reader if it's currently blocked for input. This is - primarily to give it a chance to check termination quickly. - **/ + /** + * Wake up the reader if it's currently blocked for input. This is + * primarily to give it a chance to check termination quickly. + */ void WakeUp(); /** @@ -94,14 +96,15 @@ public: * Returns statistics about the queue's usage. * * @param stats A pointer to a structure that will be filled with - * current numbers. */ + * current numbers. + */ void GetStats(Stats* stats); private: static const int NUM_QUEUES = 8; - pthread_mutex_t mutex[NUM_QUEUES]; // Mutex protected shared accesses. - pthread_cond_t has_data[NUM_QUEUES]; // Signals when data becomes available + std::mutex mutex[NUM_QUEUES]; // Mutex protected shared accesses. + std::condition_variable has_data[NUM_QUEUES]; // Signals when data becomes available std::queue messages[NUM_QUEUES]; // Actually holds the queued messages int read_ptr; // Where the next operation will read from @@ -115,17 +118,17 @@ private: uint64_t num_writes; }; -inline static void safe_lock(pthread_mutex_t* mutex) +inline static std::unique_lock safe_lock(std::mutex& m) { - int res = pthread_mutex_lock(mutex); - if ( res != 0 ) - reporter->FatalErrorWithCore("cannot lock mutex: %d(%s)", res, strerror(res)); + std::unique_lock lock(m, std::defer_lock); + + try { + lock.lock(); + } catch(const std::system_error& e) { + reporter->FatalErrorWithCore("cannot lock mutex: %s", e.what()); } -inline static void safe_unlock(pthread_mutex_t* mutex) - { - if ( pthread_mutex_unlock(mutex) != 0 ) - reporter->FatalErrorWithCore("cannot unlock mutex"); + return lock; } template @@ -136,50 +139,28 @@ inline Queue::Queue(BasicThread* arg_reader, BasicThread* arg_writer) num_reads = num_writes = 0; reader = arg_reader; writer = arg_writer; - - for( int i = 0; i < NUM_QUEUES; ++i ) - { - if ( pthread_cond_init(&has_data[i], 0) != 0 ) - reporter->FatalError("cannot init queue condition variable"); - - if ( pthread_mutex_init(&mutex[i], 0) != 0 ) - reporter->FatalError("cannot init queue mutex"); - } } template inline Queue::~Queue() { - for( int i = 0; i < NUM_QUEUES; ++i ) - { - pthread_cond_destroy(&has_data[i]); - pthread_mutex_destroy(&mutex[i]); - } } template inline T Queue::Get() { - safe_lock(&mutex[read_ptr]); + auto lock = safe_lock(mutex[read_ptr]); int old_read_ptr = read_ptr; if ( messages[read_ptr].empty() && ! ((reader && reader->Killed()) || (writer && writer->Killed())) ) { - struct timespec ts; - ts.tv_sec = time(0) + 5; - ts.tv_nsec = 0; - - pthread_cond_timedwait(&has_data[read_ptr], &mutex[read_ptr], &ts); - safe_unlock(&mutex[read_ptr]); - return 0; + if ( has_data[read_ptr].wait_for(lock, std::chrono::seconds(5)) == std::cv_status::timeout ) + return nullptr; } - else if ( messages[read_ptr].empty() ) - { - safe_unlock(&mutex[read_ptr]); - return 0; - } + if ( messages[read_ptr].empty() ) + return nullptr; T data = messages[read_ptr].front(); messages[read_ptr].pop(); @@ -187,15 +168,13 @@ inline T Queue::Get() read_ptr = (read_ptr + 1) % NUM_QUEUES; ++num_reads; - safe_unlock(&mutex[old_read_ptr]); - return data; } template inline void Queue::Put(T data) { - safe_lock(&mutex[write_ptr]); + auto lock = safe_lock(mutex[write_ptr]); int old_write_ptr = write_ptr; @@ -203,25 +182,24 @@ inline void Queue::Put(T data) messages[write_ptr].push(data); - if ( need_signal ) - pthread_cond_signal(&has_data[write_ptr]); - write_ptr = (write_ptr + 1) % NUM_QUEUES; ++num_writes; - safe_unlock(&mutex[old_write_ptr]); + if ( need_signal ) + { + lock.unlock(); + has_data[old_write_ptr].notify_one(); + } } template inline bool Queue::Ready() { - safe_lock(&mutex[read_ptr]); + auto lock = safe_lock(mutex[read_ptr]); bool ret = (messages[read_ptr].size()); - safe_unlock(&mutex[read_ptr]); - return ret; } @@ -229,17 +207,15 @@ template inline uint64_t Queue::Size() { // Need to lock all queues. + std::vector> locks; for ( int i = 0; i < NUM_QUEUES; i++ ) - safe_lock(&mutex[i]); + locks.push_back(safe_lock(mutex[i])); uint64_t size = 0; for ( int i = 0; i < NUM_QUEUES; i++ ) size += messages[i].size(); - for ( int i = 0; i < NUM_QUEUES; i++ ) - safe_unlock(&mutex[i]); - return size; } @@ -248,29 +224,21 @@ inline void Queue::GetStats(Stats* stats) { // To be safe, we look all queues. That's probably unneccessary, but // doesn't really hurt. + std::vector> locks; for ( int i = 0; i < NUM_QUEUES; i++ ) - safe_lock(&mutex[i]); + locks.push_back(safe_lock(mutex[i])); stats->num_reads = num_reads; stats->num_writes = num_writes; - - for ( int i = 0; i < NUM_QUEUES; i++ ) - safe_unlock(&mutex[i]); } template inline void Queue::WakeUp() { for ( int i = 0; i < NUM_QUEUES; i++ ) - { - safe_lock(&mutex[i]); - pthread_cond_signal(&has_data[i]); - safe_unlock(&mutex[i]); - } + has_data[i].notify_all(); } } - #endif - From 766bab077144e9341f4f29bdedebdf621ccee584 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 2 Mar 2017 16:45:07 -0800 Subject: [PATCH 185/288] Updating submodule. --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 2fb0e089b3..14c18508bb 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 2fb0e089b37cc62b4616c8d4309ee80fb7fc6a27 +Subproject commit 14c18508bb385c8f55cd79738ee87ca2b85eba27 From f616903e5ffc1b28142bb6f4e94424993d772801 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 3 Mar 2017 10:44:14 -0800 Subject: [PATCH 186/288] Updating submodule(s). [nomail] --- CHANGES | 2 +- VERSION | 2 +- aux/plugins | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 9c58d9338f..862174c068 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ -2.5-91 | 2017-03-03 10:30:12 -0800 +2.5-92 | 2017-03-03 10:44:14 -0800 * Move most threading to C++11 primitives (mostly). (Johanna Amann) diff --git a/VERSION b/VERSION index 2cca69f0f3..540a520883 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-91 +2.5-92 diff --git a/aux/plugins b/aux/plugins index 2322840bcd..c4b5df3aa8 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb +Subproject commit c4b5df3aa8e5c58a2dc5e5040c7da8369894f24d From b6e6302b4031d36d6e297b25aba444b0dc26f1e8 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 3 Mar 2017 12:40:37 -0800 Subject: [PATCH 187/288] Ascii reader error changes - fix small bugs The changes are now a bit more succinct with less code changes required. Behavior is tested a little bit more thoroughly and a memory problem when reading incomplete lines was fixed. ReadHeader also always directly returns if header reading failed. Error messages now are back to what they were before the change, if the new behavior is not used. I also tweaked the documentation text a bit. --- .../base/frameworks/input/readers/ascii.bro | 34 ++++++-- src/input/readers/ascii/Ascii.cc | 85 ++++++++++--------- src/input/readers/ascii/Ascii.h | 10 ++- .../out | 26 ++++++ .../bro..stderr | 4 + .../bro..stdout | 3 + .../bro..stderr | 4 +- .../base/frameworks/input/invalid-lines.bro | 67 +++++++++++++++ .../base/frameworks/input/invalidtext.bro | 1 + .../input/missing-file-initially.bro | 12 +-- .../base/frameworks/input/missing-file.bro | 1 + 11 files changed, 187 insertions(+), 60 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out create mode 100644 testing/btest/scripts/base/frameworks/input/invalid-lines.bro diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro index 521e8d4ca3..83d8ced94b 100644 --- a/scripts/base/frameworks/input/readers/ascii.bro +++ b/scripts/base/frameworks/input/readers/ascii.bro @@ -19,16 +19,32 @@ export { ## String to use for an unset &optional field. const unset_field = Input::unset_field &redef; - ## Choose if the ascii input reader should globally - ## fail on invalid lines and continue parsing afterward. - ## Individual readers can use a different value. + ## Fail on invalid lines. If set to false, the ascii + ## input reader will jump over invalid lines, reporting + ## warnings in reporter.log. If set to true, errors in + ## input lines will be handled as fatal errors for the + ## reader thread; reading will abort immediately and + ## an error will be logged to reporter.log. + ## Invidivual readers can use a different value using + ## the $config table. + ## fail_on_invalid_lines = T was the default behavior + ## untill Bro 2.5. const fail_on_invalid_lines = F &redef; - ## Set to true if you would like the old behavior of the - ## ascii reader where the reader thread would die if any file - ## errors occur (like permissions problems or file missing). - ## The default behavior is to continue attempting to open and read - ## the file even in light of problems. - ## Individual readers can use a different value. + ## Fail on file read problems. If set to true, the ascii + ## input reader will fail when encountering any problems + ## while reading a file different from invalid lines. + ## Examples fur such problems are permission problems, or + ## missing files. + ## When set to false, these problems will be ignored. This + ## has an especially big effect for the REREAD mode, which will + ## seamlessly recover from read errors when a file is + ## only temporarily inaccessible. For MANUAL or STREAM files, + ## errors will most likely still be fatal since no automatic + ## re-reading of the file is attempted. + ## Invidivual readers can use a different value using + ## the $config table. + ## fail_on_file_problem = T was the default behavior + ## untill Bro 2.5. const fail_on_file_problem = F &redef; } diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 5621a87eb4..bedddce075 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -61,7 +61,7 @@ void Ascii::DoClose() bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { - is_failed = false; + suppress_warnings = false; separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(), BifConst::InputAscii::separator->Len()); @@ -109,43 +109,48 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); formatter = unique_ptr(new formatter::Ascii(this, sep_info)); - DoUpdate(); - - return true; + return DoUpdate(); } -void Ascii::FailWarn(bool is_error, const char *msg) +void Ascii::FailWarn(bool is_error, const char *msg, bool suppress_future) { if ( is_error ) Error(msg); else - Warning(msg); + { + // suppress error message when we are already in error mode. + // There is no reason to repeat it every second. + if ( ! suppress_warnings ) + Warning(msg); + + if ( suppress_future ) + suppress_warnings = true; + } } bool Ascii::OpenFile() { - if ( file.is_open() && ! is_failed ) + if ( file.is_open() ) return true; file.open(Info().source); + if ( ! file.is_open() ) { - if ( ! is_failed ) - FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source)); - is_failed = true; - return !fail_on_file_problem; + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true); + + return ! fail_on_file_problem; } if ( ReadHeader(false) == false ) { - if ( ! is_failed ) - FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; headers are incorrect", Info().source)); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", Info().source), true); + file.close(); - is_failed = true; - return !fail_on_file_problem; + return ! fail_on_file_problem; } - is_failed = false; + suppress_warnings = false; return true; } @@ -158,7 +163,11 @@ bool Ascii::ReadHeader(bool useCached) if ( ! useCached ) { if ( ! GetLine(line) ) + { + FailWarn(fail_on_file_problem, Fmt("Could not read input data file %s; first line could not be read", + Info().source), true); return false; + } headerline = line; } @@ -198,12 +207,10 @@ bool Ascii::ReadHeader(bool useCached) continue; } - if ( ! is_failed ) - FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.", - field->name, Info().source)); + FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.", + field->name, Info().source), true); - is_failed = true; - return !fail_on_file_problem; + return false; } FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]); @@ -213,12 +220,10 @@ bool Ascii::ReadHeader(bool useCached) map::iterator fit2 = ifields.find(field->secondary_name); if ( fit2 == ifields.end() ) { - if ( ! is_failed ) - FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.", - field->secondary_name)); + FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.", + field->secondary_name), true); - is_failed = true; - return !fail_on_file_problem; + return false; } f.secondary_position = ifields[field->secondary_name]; @@ -258,7 +263,7 @@ bool Ascii::GetLine(string& str) bool Ascii::DoUpdate() { if ( ! OpenFile() ) - return !fail_on_file_problem; + return ! fail_on_file_problem; switch ( Info().mode ) { case MODE_REREAD: @@ -267,11 +272,10 @@ bool Ascii::DoUpdate() struct stat sb; if ( stat(Info().source, &sb) == -1 ) { - if ( ! is_failed ) - FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source)); + FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true); + file.close(); - is_failed = true; - return !fail_on_file_problem; + return ! fail_on_file_problem; } if ( sb.st_mtime <= mtime ) // no change @@ -293,10 +297,9 @@ bool Ascii::DoUpdate() if ( Info().mode == MODE_STREAM ) { file.clear(); // remove end of file evil bits - if ( !ReadHeader(true) ) + if ( ! ReadHeader(true) ) { - is_failed = true; - return !fail_on_file_problem; // header reading failed + return ! fail_on_file_problem; // header reading failed } break; @@ -360,15 +363,15 @@ bool Ascii::DoUpdate() if ( (*fit).position > pos || (*fit).secondary_position > pos ) { FailWarn(fail_on_invalid_lines, Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d", - line.c_str(), pos, (*fit).position, (*fit).secondary_position)); - - for ( int i = 0; i < fpos; i++ ) - delete fields[i]; - - delete [] fields; + line.c_str(), pos, (*fit).position, (*fit).secondary_position)); if ( fail_on_invalid_lines ) { + for ( int i = 0; i < fpos; i++ ) + delete fields[i]; + + delete [] fields; + return false; } else @@ -432,7 +435,7 @@ bool Ascii::DoUpdate() bool Ascii::DoHeartbeat(double network_time, double current_time) { if ( ! OpenFile() ) - return !fail_on_file_problem; + return ! fail_on_file_problem; switch ( Info().mode ) { diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index 9300382ca2..7a7fa52590 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -56,8 +56,10 @@ private: bool ReadHeader(bool useCached); bool GetLine(string& str); bool OpenFile(); - void FailWarn(bool is_error, const char *msg); - + // Call Warning or Error, depending on the is_error boolean. + // In case of a warning, setting suppress_future to true will suppress all future warnings + // (by setting suppress_warnings to true, until suppress_warnings is set back to false) + void FailWarn(bool is_error, const char *msg, bool suppress_future = false); ifstream file; time_t mtime; @@ -77,8 +79,8 @@ private: bool fail_on_file_problem; // this is an internal indicator in case the read is currently in a failed state - // it's used by the options for continuing instead of failing and killing the reader. - bool is_failed; + // it's used to suppress duplicate error messages. + bool suppress_warnings; std::unique_ptr formatter; }; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out new file mode 100644 index 0000000000..3406639d29 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out @@ -0,0 +1,26 @@ +{ +[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242 HOHOHO, sc={ +2, +4, +1, +3 +}, ss={ +BB, +AA, +CC +}, se={ + +}, vc=[10, 20, 30], ve=[]], +[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={ +2, +4, +1, +3 +}, ss={ +BB, +AA, +CC +}, se={ + +}, vc=[10, 20, 30], ve=[]] +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr index 6c4d0f0194..337cdcda87 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr @@ -1,4 +1,8 @@ warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat +warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat +warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat error: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat +error: ../does-not-exist.dat/Input::READER_ASCII: Init failed error: ../does-not-exist.dat/Input::READER_ASCII: terminating thread +warning: ../does-not-exist.dat/Input::READER_ASCII: Could not get stat for ../does-not-exist.dat received termination signal diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout index d96c6d457d..39309bc8cf 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout @@ -1,2 +1,5 @@ now it does and more! +now it does +and more! +Streaming still works diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr index f5d074fe7e..5093925d2d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr @@ -1,2 +1,4 @@ -warning: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat +error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat +error: does-not-exist.dat/Input::READER_ASCII: Init failed +error: does-not-exist.dat/Input::READER_ASCII: terminating thread received termination signal diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro new file mode 100644 index 0000000000..83be1efd09 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro @@ -0,0 +1,67 @@ +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-diff out + +redef exit_only_after_terminate = T; +redef InputAscii::fail_on_invalid_lines = F; + +@TEST-START-FILE input.log +#separator \x09 +#path ssh +#fields b i e c p sn a d t iv s sc ss se vc ve ns +#types bool int enum count port subnet addr double time interval string table table table vector vector string +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 +T -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 HOHOHO +T -41 +@TEST-END-FILE + +@load base/protocols/ssh + +global outfile: file; + +redef InputAscii::empty_field = "EMPTY"; + +module A; + +type Idx: record { + i: int; +}; + +type Val: record { + b: bool; + e: Log::ID; + c: count; + p: port; + sn: subnet; + a: addr; + d: double; + t: time; + iv: interval; + s: string; + ns: string; + sc: set[count]; + ss: set[string]; + se: set[string]; + vc: vector of int; + ve: vector of int; +}; + +global servers: table[int] of Val = table(); +global servers2: table[int] of Val = table(); + +event bro_init() + { + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); + Input::add_table([$source="../input.log", $name="ssh2", $idx=Idx, $val=Val, $destination=servers2, $config=table(["fail_on_invalid_lines"] = "T")]); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, servers; + Input::remove("ssh"); + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro index 1de4e96671..3f5b590dec 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidtext.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro @@ -13,6 +13,7 @@ @TEST-END-FILE redef exit_only_after_terminate = T; +redef InputAscii::fail_on_invalid_lines = T; global outfile: file; diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro index a7128a4455..73fd57284e 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro @@ -1,10 +1,12 @@ # This tests files that don't exist initially and then do later during # runtime to make sure the ascii reader is resilient to files missing. -# It does a second test at the same time which configures the old +# It does a second test at the same time which configures the old # failing behavior. # @TEST-EXEC: btest-bg-run bro bro %INPUT -# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: sleep 2; cp does-exist.dat does-not-exist.dat +# @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat +# @TEST-EXEC: btest-bg-wait -k 3 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff bro/.stderr @@ -40,8 +42,8 @@ event line2(description: Input::EventDescription, tpe: Input::Event, v: Val) event bro_init() { Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]); - Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T, + Input::add_event([$source="../does-not-exist.dat", $name="inputstream", $reader=Input::READER_ASCII, $mode=Input::STREAM, $fields=Val, $ev=line, $want_record=T]); + Input::add_event([$source="../does-not-exist.dat", $name="inputmanual", $reader=Input::READER_ASCII, $mode=Input::MANUAL, $fields=Val, $ev=line, $want_record=T]); + Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T, $config=table(["fail_on_file_problem"] = "T")]); - - system("sleep 2; mv ../does-exist.dat ../does-not-exist.dat;"); } diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro index 08adfe2150..2ec3bb937f 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro @@ -3,6 +3,7 @@ # @TEST-EXEC: btest-diff bro/.stderr redef exit_only_after_terminate = T; +redef InputAscii::fail_on_file_problem = T; global outfile: file; global try: count; From dc2cfd8a1071ec3b30bd130d859758b3353f4b11 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 3 Mar 2017 12:51:54 -0800 Subject: [PATCH 188/288] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 14c18508bb..dceda16935 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 14c18508bb385c8f55cd79738ee87ca2b85eba27 +Subproject commit dceda169351ddd0c7fe7a5ae5496be1d7af2367b From 5ec4e00fcd802445ed176258684aecbaf768f5a1 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 8 Mar 2017 14:19:31 -0600 Subject: [PATCH 189/288] Fix some Coverity warnings Fixed some Coverity warnings in RemoteSerializer::ProcessLogCreateWriter(). Upon failure, CreateWriterForRemoteLog() frees the "info" and "fields" pointers, so they are now set to null in order to avoid freeing them a second time. --- src/RemoteSerializer.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 2adecfc89a..7d8899d8b9 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -2732,7 +2732,8 @@ bool RemoteSerializer::ProcessLogCreateWriter() if ( ! log_mgr->CreateWriterForRemoteLog(id_val, writer_val, info, num_fields, fields) ) { - delete_fields_up_to = num_fields; + info = 0; + fields = 0; goto error; } From ff4d624ebe4bee14211ae49beb789b7221fe8e27 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Mar 2017 12:18:35 -0500 Subject: [PATCH 190/288] Minor documentation fixes. --- scripts/base/frameworks/input/readers/ascii.bro | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro index 83d8ced94b..1d4072e118 100644 --- a/scripts/base/frameworks/input/readers/ascii.bro +++ b/scripts/base/frameworks/input/readers/ascii.bro @@ -25,16 +25,16 @@ export { ## input lines will be handled as fatal errors for the ## reader thread; reading will abort immediately and ## an error will be logged to reporter.log. - ## Invidivual readers can use a different value using + ## Individual readers can use a different value using ## the $config table. ## fail_on_invalid_lines = T was the default behavior - ## untill Bro 2.5. + ## until Bro 2.6. const fail_on_invalid_lines = F &redef; ## Fail on file read problems. If set to true, the ascii ## input reader will fail when encountering any problems ## while reading a file different from invalid lines. - ## Examples fur such problems are permission problems, or + ## Examples of such problems are permission problems, or ## missing files. ## When set to false, these problems will be ignored. This ## has an especially big effect for the REREAD mode, which will @@ -42,9 +42,9 @@ export { ## only temporarily inaccessible. For MANUAL or STREAM files, ## errors will most likely still be fatal since no automatic ## re-reading of the file is attempted. - ## Invidivual readers can use a different value using + ## Individual readers can use a different value using ## the $config table. ## fail_on_file_problem = T was the default behavior - ## untill Bro 2.5. + ## until Bro 2.6. const fail_on_file_problem = F &redef; } From d505670f599c09f21eed275b0d79f910eaa3bf2e Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Mar 2017 12:43:41 -0500 Subject: [PATCH 191/288] Updating NEWS --- NEWS | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/NEWS b/NEWS index 9aa1e35c7c..7fbc7cfd4f 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,19 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as BroControl and Broccoli, come with their own ``CHANGES``.) +Bro 2.6 +======= + +Changed Functionality +--------------------- + +- The input framework's Ascii reader is now more resilient. If an input + is marked to reread a file when it changes and the file didn't exist + during a check Bro would stop watching the file in previous versions. + The same could happen with bad data in a line of a file. These + situations do not cause Bro to stop watching input files anymore. The + old behavior is available through settings in the Ascii reader. + Bro 2.5 ======= From 05746ab7fcfdbd966bb4e39403dd004e42a75fc4 Mon Sep 17 00:00:00 2001 From: Pete Date: Sun, 12 Mar 2017 12:53:12 -0400 Subject: [PATCH 192/288] print version string to stdout on --version When running a *nix command from the prompt, and output is expected, that output should be sent to stdout, not stderr. The --version option is such a case. The outputted version string is not an indication of error or a diagnostic output; it is the expected output, thus should follow standard conventions and be output to stdout.. --- src/main.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.cc b/src/main.cc index 55636a9496..d9f8ff5b0b 100644 --- a/src/main.cc +++ b/src/main.cc @@ -595,7 +595,7 @@ int main(int argc, char** argv) break; case 'v': - fprintf(stderr, "%s version %s\n", prog, bro_version()); + fprintf(stdout, "%s version %s\n", prog, bro_version()); exit(0); break; From a38f44b1fddac4c7fd3e8bdb59a64ce952c7703b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 13 Mar 2017 11:16:15 -0700 Subject: [PATCH 193/288] Fix coverity warning in Ascii reader. --- src/input/readers/ascii/Ascii.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index bedddce075..3440d9565d 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -49,6 +49,7 @@ FieldMapping FieldMapping::subType() Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend) { mtime = 0; + suppress_warnings = false; } Ascii::~Ascii() From 17fa1b6fede10765a8f483727358c98aa324e656 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 13 Mar 2017 11:16:19 -0700 Subject: [PATCH 194/288] Fix compiler warnings raised by llvm 8.0. Warning was: warning: moving a temporary object prevents copy elision [-Wpessimizing-move] --- src/input/readers/raw/Plugin.cc | 2 +- src/threading/Queue.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc index 0dd1b47fc7..e16a233fe6 100644 --- a/src/input/readers/raw/Plugin.cc +++ b/src/input/readers/raw/Plugin.cc @@ -30,6 +30,6 @@ void Plugin::Done() std::unique_lock Plugin::ForkMutex() { - return std::move(std::unique_lock(fork_mutex, std::defer_lock)); + return std::unique_lock(fork_mutex, std::defer_lock); } diff --git a/src/threading/Queue.h b/src/threading/Queue.h index bf0f0db82c..9ac9268a7a 100644 --- a/src/threading/Queue.h +++ b/src/threading/Queue.h @@ -124,7 +124,7 @@ inline static std::unique_lock acquire_lock(std::mutex& m) { try { - return std::move(std::unique_lock(m)); + return std::unique_lock(m); } catch ( const std::system_error& e ) { @@ -224,7 +224,7 @@ inline std::vector> Queue::LocksForAllQueues() throw std::exception(); } - return std::move(locks); + return locks; } template From 7180c704f649d7aaa66a826daebb02c6efd10384 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 13 Mar 2017 11:56:55 -0700 Subject: [PATCH 195/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 73dbc79ac2..58e9df0694 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5 +Subproject commit 58e9df0694cc900b20decf26fbd7add6ee91212f From 2d7c84956c0df80763f7b1eb4c5f9d15c21f3a4b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 13 Mar 2017 16:08:14 -0700 Subject: [PATCH 196/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 58e9df0694..96583ab378 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 58e9df0694cc900b20decf26fbd7add6ee91212f +Subproject commit 96583ab378b1de32ac9804246e1b0e2845fc8b3e From 750e3e358f5c6e7ab80a6309bdf9d5a6854518ed Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 14 Mar 2017 06:58:42 -0700 Subject: [PATCH 197/288] Update submodule [nomail] --- aux/bro-aux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/bro-aux b/aux/bro-aux index 9f33570d53..51bf79d3fc 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 9f33570d53e1b970d7905e305940fd55637c5c76 +Subproject commit 51bf79d3fc78b5e86c554afe7c24c44b025aa67f From 6544e365645b75d85c3836894a20c2339e79c399 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 15 Mar 2017 08:00:36 -0700 Subject: [PATCH 198/288] Remove cluster catch and release. This test keeps failing intermittently because of timing issues that are surprisingly hard to fix. --- .../manager-1.netcontrol.log | 23 --- .../manager-1.netcontrol_catch_release.log | 18 --- .../worker-2..stdout | 9 -- .../netcontrol/catch-and-release-cluster.bro | 132 ------------------ 4 files changed, 182 deletions(-) delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout delete mode 100644 testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log deleted file mode 100644 index 974349e229..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log +++ /dev/null @@ -1,23 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path netcontrol -#open 2016-08-12-17-38-49 -#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin -#types time string enum string enum string enum string string string string int interval string string -1471023529.752740 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All -1471023529.752740 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All -1471023529.752740 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - -1471023532.819263 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 connection drop worker-1 Debug-All -1471023532.819263 worker-1:2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 direct drop worker-1 Debug-All -1471023532.819263 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 connection drop worker-1 Debug-All -1471023532.819263 worker-1:2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 direct drop worker-1 Debug-All -1471023532.920126 worker-1:2 NetControl::RULE EXPIRE NetControl::TIMEOUT NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 direct drop worker-1 Debug-All -1471023532.920126 worker-1:2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 direct drop worker-1 Debug-All -1471023532.921768 worker-1:2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 0.100000 direct drop worker-1 Debug-All -1471023534.308087 2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - worker-2 0 600.000000 connection drop worker-1 Debug-All -1471023534.308087 2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 600.000000 connection drop worker-1 Debug-All -1471023534.308087 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 3600.000000 Re-drop by catch-and-release: direct cr worker-1 Debug-All -1471023534.308087 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 8.8.8.8/32 - - 0 3600.000000 Re-drop by catch-and-release: direct cr worker-1 Debug-All -#close 2016-08-12-17-38-54 diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log deleted file mode 100644 index 54202fffbe..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log +++ /dev/null @@ -1,18 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path netcontrol_catch_release -#open 2016-08-12-17-38-52 -#fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message -#types time string addr enum interval interval time time count string string -1471023532.819263 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1471024132.819263 1471027132.819263 1 connection drop worker-1 - -1471023532.819263 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1471024132.819263 1471027132.819263 1 connection drop worker-1 - -1471023532.819263 worker-1:2 8.8.8.8 NetControl::ADDED 600.000000 3600.000000 - 1471027132.819263 1 direct cr worker-1 Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic. -1471023532.920126 worker-1:2 8.8.8.8 NetControl::UNBLOCK 600.000000 3600.000000 - 1471027132.819263 1 direct cr worker-1 - -1471023534.308087 2 192.168.18.50 NetControl::INFO 600.000000 3600.000000 1471024132.819263 1471027132.819263 1 connection drop worker-1 Block seen while in rule_entities. No action taken. -1471023534.308087 2 192.168.18.50 NetControl::UNBLOCK 600.000000 3600.000000 1471024132.819263 1471027132.819263 1 connection drop worker-1 worker-2 -1471023534.308087 4 8.8.8.8 NetControl::SEEN_AGAIN 3600.000000 86400.000000 1471027134.308087 1471109934.308087 2 direct cr worker-1 - -1471023534.308087 4 8.8.8.8 NetControl::DROPPED 3600.000000 86400.000000 1471027134.308087 1471109934.308087 2 direct cr worker-1 - -1471023532.239980 2 192.168.18.50 NetControl::INFO 600.000000 3600.000000 1471024132.819263 1471027132.819263 1 connection drop worker-1 Already blocked using catch-and-release - ignoring duplicate -#close 2016-08-12-17-38-54 diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout deleted file mode 100644 index f61fe92474..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout +++ /dev/null @@ -1,9 +0,0 @@ -Suspend, worker-2 -New block, 192.168.18.50, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1] -New block, 8.8.8.8, [block_until=, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=worker-1:2, location=direct cr worker-1] -Resume, worker-2 -Connection established -Info, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1] -Delete block, 192.168.18.50 -New block, 8.8.8.8, [block_until=1471030196.295249, watch_until=1471112996.295249, num_reblocked=1, current_interval=1, current_block_id=4, location=direct cr worker-1] -remote connection closed diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro deleted file mode 100644 index fd7de7e442..0000000000 --- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro +++ /dev/null @@ -1,132 +0,0 @@ -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" -# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" -# @TEST-EXEC: btest-bg-wait 20 -# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff manager-1/netcontrol.log -# @TEST-EXEC: btest-diff manager-1/netcontrol_catch_release.log -# @TEST-EXEC: btest-diff worker-2/.stdout - -@TEST-START-FILE cluster-layout.bro -redef Cluster::nodes = { - ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], - ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"], - ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"], -}; -@TEST-END-FILE - -redef exit_only_after_terminate = T; - -redef Log::default_rotation_interval = 0secs; - -@load base/frameworks/netcontrol -redef NetControl::catch_release_warn_blocked_ip_encountered = T; - -global ready_for_data_1: event(); -global ready_for_data_2: event(); -redef Cluster::manager2worker_events += /^ready_for_data_(1|2)$/; - -@if ( Cluster::local_node_type() == Cluster::MANAGER ) - -global peer_count = 0; -event remote_connection_handshake_done(p: event_peer) &priority=-5 - { - ++peer_count; - print "remote_connection_handshake_done", peer_count; - if ( peer_count == 2 ) - { - event ready_for_data_1(); - schedule 1.5sec { ready_for_data_2() }; - } - } - -@endif - -@if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() - { - print "Suspend", Cluster::node; - suspend_processing(); - } - -event remote_connection_closed(p: event_peer) { - print "remote connection closed"; - terminate(); -} -@endif - -@if ( Cluster::node == "worker-1" ) -event ready_for_data_1() - { - print "Resume", Cluster::node; - continue_processing(); - } -@endif - -@if ( Cluster::node == "worker-2" ) -event ready_for_data_2() - { - print "Resume", Cluster::node; - continue_processing(); - } -@endif - -event NetControl::init() - { - local netcontrol_debug = NetControl::create_debug(T); - NetControl::activate(netcontrol_debug, 0); - } - -global i: count = 0; - -event connection_established(c: connection) - { - print "Connection established"; - local id = c$id; - local info = NetControl::get_catch_release_info(id$orig_h); - print "Info", info; - NetControl::drop_address_catch_release(id$orig_h, cat("connection drop ", Cluster::node)); - if ( info$current_block_id != "" ) - { - NetControl::unblock_address_catch_release(id$orig_h, Cluster::node); - } - } - -@if ( Cluster::node == "worker-1" ) -event connection_established(c: connection) - { - NetControl::drop_address(8.8.8.8, 0.1secs, cat("direct drop ", Cluster::node)); - NetControl::drop_address_catch_release(8.8.8.8, cat("direct cr ", Cluster::node)); - } -@endif - -@if ( Cluster::node == "worker-2" ) -event connection_established(c: connection) - { - NetControl::catch_release_seen(8.8.8.8); - } -@endif - -event NetControl::catch_release_block_new(a: addr, b: NetControl::BlockInfo) - { - print "New block", a, b; - } - -event NetControl::catch_release_block_delete(a: addr) - { - print "Delete block", a; - } - -event terminate_me() { - terminate(); -} - -@if ( Cluster::local_node_type() == Cluster::MANAGER ) -event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string) - { - print "Scheduling terminate"; - schedule 3sec { terminate_me() }; - } -@endif From 2b3dcc273af53b5f917a97680dc1e464458f3499 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Mar 2017 12:29:50 -0700 Subject: [PATCH 199/288] KRB: Fix small recently introduced files bug. is_orig was set incorrectly for responses. --- src/analyzer/protocol/krb/krb-padata.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index 4667ab1677..271958fcb4 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -100,7 +100,7 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a file_mgr->DataIn(reinterpret_cast(cert.data()), cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); + bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); break; From dcf49078573e3070a07cc83e842fac90637f9651 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Mar 2017 13:50:32 -0700 Subject: [PATCH 200/288] Add CT log information to Bro This commit add the table SSL::ct_logs to Bro. This table is populated with information about the currently active certificate transparency logs (data from Google). The data can, e.g., be used to identify which Logs are being used in SCTs. --- scripts/base/protocols/ssl/__load__.bro | 1 + scripts/base/protocols/ssl/ct-list.bro | 34 +++++++++++++++++++ scripts/base/protocols/ssl/main.bro | 13 +++++++ .../.stdout | 8 ++--- .../.stdout | 6 ++-- .../x509/signed_certificate_timestamp.test | 2 +- .../ssl/signed_certificate_timestamp.test | 2 +- 7 files changed, 57 insertions(+), 9 deletions(-) create mode 100644 scripts/base/protocols/ssl/ct-list.bro diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro index 42287fb039..b8e4d52523 100644 --- a/scripts/base/protocols/ssl/__load__.bro +++ b/scripts/base/protocols/ssl/__load__.bro @@ -1,6 +1,7 @@ @load ./consts @load ./main @load ./mozilla-ca-list +@load ./ct-list @load ./files @load-sigs ./dpd.sig diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro new file mode 100644 index 0000000000..600b644df2 --- /dev/null +++ b/scripts/base/protocols/ssl/ct-list.bro @@ -0,0 +1,34 @@ +# +# Do not edit this file. This file is automatically generated by gen-ct-list.pl +# File generated at Thu Mar 16 13:41:00 2017 +# File generated from https://www.certificate-transparency.org/known-logs/all_logs_list.json?attredirects=0&d=1 +# + +@load base/protocols/ssl +module SSL; +redef ct_logs += { +["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"), +["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"), +["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"), +["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"), +["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"), +["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"), +["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"), +["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"), +["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ct.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"), +["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign ctlog", $operator="WoSign", $url="ctlog.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"), +["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec VEGA log", $operator="Symantec", $url="vega.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"), +["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"), +["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="Wang Shengnan GDCA log", $operator="Wang Shengnan", $url="ct.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"), +["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"), +["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 2nd log", $operator="Izenpe", $url="ct.izenpe.eus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"), +["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom CT log", $operator="StartCom", $url="ct.startssl.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"), +["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"), +["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"), +["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA log", $operator="GDCA", $url="ctlog.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"), +["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"), +["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"), +["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="https://ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"), +["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec SIRIUS log", $operator="Symantec", $url="sirius.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"), +["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert CT2 log", $operator="DigiCert", $url="ct2.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"), +}; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 858fa343bb..dbe5f2bccd 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -74,6 +74,19 @@ export { ## script sets this to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; + type CTInfo: record { + description: string; + operator: string; + key: string; + maximum_merge_delay: count; + url: string; + }; + + ## The Certificate Transparency log bundle. By default, the ct-list.bro + ## script sets this to the current list of known logs. Entries + ## are indexex by (binary) log-id. + const ct_logs: table[string] of CTInfo = {} &redef; + ## If true, detach the SSL analyzer from the connection to prevent ## continuing to process encrypted traffic. Helps with performance ## (especially with large file transfers). diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout index 4b81b287a6..a27331e535 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -1,4 +1,4 @@ -0, 1474927230.876, 4, 3 -0, 1474927232.863, 4, 3 -0, 1474927232.112, 4, 3 -0, 1474927232.304, 4, 3 +0, Symantec log, 1474927230.876, 4, 3 +0, Google 'Rocketeer' log, 1474927232.863, 4, 3 +0, Google 'Aviator' log, 1474927232.112, 4, 3 +0, Google 'Pilot' log, 1474927232.304, 4, 3 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout index abed68df42..bc56f161ab 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -1,3 +1,3 @@ -0, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] -0, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] -0, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 5203bda7ee..5b4c02dd01 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -3,5 +3,5 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) { - print version, timestamp, hash_algorithm, signature_algorithm; + print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index 80a041c316..bcc0a87637 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -3,5 +3,5 @@ event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { - print version, timestamp, signature_and_hashalgorithm; + print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm; } From d50bddfbfbf196dc88ba097aa1c0095ff9c5c2eb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Mar 2017 18:18:39 -0700 Subject: [PATCH 201/288] SCT: pass timestamp as uint64 instead of time For verification, we need the exact uint64 as it was seen on the wire; converting it to a double might mean that we loose precision. --- src/analyzer/protocol/ssl/events.bif | 5 +++-- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 2 +- src/file_analysis/analyzer/x509/events.bif | 5 +++-- src/file_analysis/analyzer/x509/x509-extension.pac | 2 +- .../base/files/x509/signed_certificate_timestamp.test | 4 ++-- .../base/protocols/ssl/signed_certificate_timestamp.test | 4 ++-- 6 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 5f0e0c4557..721fcd249c 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -238,13 +238,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ## logid: 32 bit key id ## -## timestamp: the current NTP Time +## timestamp: the NTP Time when the entry was logged measured since +## the epoch, ignoring leap seconds, in milliseconds. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); +event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 6882e48cbb..d7ccef45b6 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -259,7 +259,7 @@ refine connection Handshake_Conn += { bro_analyzer()->Conn(), ${rec.is_orig}, version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), - ((double)timestamp)/1000, + timestamp, ha, new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) ); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index f8084fa864..206555e9dd 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -67,10 +67,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## ## logid: 32 bit key id ## -## timestamp: the timestamp of the sct +## timestamp: the NTP Time when the entry was logged measured since +## the epoch, ignoring leap seconds, in milliseconds. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); +event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index e77a82307a..937706fd3b 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -39,7 +39,7 @@ refine connection MockConnection += { bro_analyzer()->GetFile()->GetVal()->Ref(), version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), - ((double)timestamp)/1000, + timestamp, digitally_signed_algorithms->HashAlgorithm(), digitally_signed_algorithms->SignatureAlgorithm(), new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 5b4c02dd01..c0fe06d4d3 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) { - print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm; + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index bcc0a87637..d0eaacd096 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { - print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm; + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; } From 05915571dbc0bc8697c9a40b3f8f3d33beb37c6e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 20 Mar 2017 12:17:40 -0700 Subject: [PATCH 202/288] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 96583ab378..cf7ea4e1ad 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 96583ab378b1de32ac9804246e1b0e2845fc8b3e +Subproject commit cf7ea4e1ad18920058f32e95bbea3bdd765b6094 From ca51dfc9c7ea47bb63de5f00aa68a92d05eff0e1 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 22 Mar 2017 14:37:37 -0500 Subject: [PATCH 203/288] Fix a test that was failing on some platforms Fixed by sorting the .stderr file, since the ordering of lines was not consistent on all platforms. --- .../scripts/base/frameworks/input/missing-file-initially.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro index 73fd57284e..4db255b69d 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro @@ -8,7 +8,7 @@ # @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat # @TEST-EXEC: btest-bg-wait -k 3 # @TEST-EXEC: btest-diff bro/.stdout -# @TEST-EXEC: btest-diff bro/.stderr +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr @TEST-START-FILE does-exist.dat #separator \x09 From c403a7f4e69be16c71d74b307cf17064edbbaf37 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 17 Mar 2017 11:40:49 -0700 Subject: [PATCH 204/288] SCT: add validation of proofs for extensions and OCSP. This does not yet work for certificates, because this requires some changing the ASN.1 structure before validation (we need to extract the tbscert and remove the SCT extension before). API will change in the future. --- src/analyzer/protocol/ssl/functions.bif | 1 + src/file_analysis/analyzer/x509/functions.bif | 95 +++++++++++++++++++ .../.stdout | 6 ++ .../.stdout | 6 ++ .../signed_certificate_timestamp_ocsp.test | 31 ++++++ .../ssl/signed_certificate_timestamp.test | 32 +++++++ 6 files changed, 171 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif index f7fa76ca36..17720bcbb1 100644 --- a/src/analyzer/protocol/ssl/functions.bif +++ b/src/analyzer/protocol/ssl/functions.bif @@ -1,6 +1,7 @@ %%{ #include "analyzer/protocol/ssl/SSL.h" +#include %%} ## Sets if the SSL analyzer should consider the connection established (handshake diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 0fe65c7d55..161a009515 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -1,6 +1,7 @@ %%{ #include "file_analysis/analyzer/x509/X509.h" #include "types.bif.h" +#include "net_util.h" #include #include @@ -543,6 +544,100 @@ x509_verify_chainerror: return rrecord; %} +function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count%): bool + %{ + assert(cert); + file_analysis::X509Val* h = (file_analysis::X509Val*) cert; + X509* x = ((file_analysis::X509Val*) h)->GetCertificate(); + + assert(sizeof(timestamp) >= 8); + uint64_t timestamp_network = htonll(timestamp); + + std::string data; + data.push_back(0); // version + data.push_back(0); // signature_type -> certificate_timestamp + data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits + data.append("\0\0", 2); // entry-type: x509_entry + + unsigned char *cert_out = nullptr; + uint32 cert_length = i2d_X509(x, &cert_out); + assert( cert_out ); + uint32 cert_length_network = htonl(cert_length); + assert( sizeof(cert_length_network) == 4); + + data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length + data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate + OPENSSL_free(cert_out); + data.append("\0\0", 2); // no extensions + + // key is given as a DER-encoded SubjectPublicKeyInfo. + const unsigned char *key_char = log_key->Bytes(); + EVP_PKEY* key = d2i_PUBKEY(nullptr, &key_char, log_key->Len()); + + EVP_MD_CTX *mdctx = EVP_MD_CTX_create(); + assert(mdctx); + + string errstr; + int success = 0; + + const EVP_MD* hash; + // numbers from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 + switch ( hash_algorithm ) + { + case 1: + hash = EVP_md5(); + break; + case 2: + hash = EVP_sha1(); + break; + case 3: + hash = EVP_sha224(); + break; + case 4: + hash = EVP_sha256(); + break; + case 5: + hash = EVP_sha384(); + break; + case 6: + hash = EVP_sha512(); + break; + default: + errstr = "Unknown hash algorithm"; + goto sct_verify_err; + } + + if ( ! key ) + { + errstr = "Could not load log key"; + goto sct_verify_err; + } + + if ( ! EVP_DigestVerifyInit(mdctx, NULL, hash, NULL, key) ) + { + errstr = "Could not init signature verification"; + goto sct_verify_err; + } + + if ( ! EVP_DigestVerifyUpdate(mdctx, data.data(), data.size()) ) + { + errstr = "Could not update digest for verification"; + goto sct_verify_err; + } + + success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len()); + EVP_MD_CTX_destroy(mdctx); + + return new Val(success, TYPE_BOOL); + +sct_verify_err: + if (mdctx) + EVP_MD_CTX_destroy(mdctx); + cerr << errstr << endl; + reporter->Error("%s", errstr.c_str()); + return new Val(0, TYPE_BOOL); + %} + ## Get the hash of issuer name of a certificate ## ## cert: The X509 certificate opaque handle. diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout new file mode 100644 index 0000000000..5384f4e6b7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout @@ -0,0 +1,6 @@ +0, Google 'Pilot' log, 1406997753.366, 4, 3 +Verify of, Google 'Pilot' log, T +Bad verify of, Google 'Pilot' log, F +0, Google 'Aviator' log, 1407002457.456, 4, 3 +Verify of, Google 'Aviator' log, T +Bad verify of, Google 'Aviator' log, F diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout index bc56f161ab..342228a1cf 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -1,3 +1,9 @@ 0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] 0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] 0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] +Verify of, Google 'Pilot' log, T +Bad verify of, Google 'Pilot' log, F +Verify of, Google 'Aviator' log, T +Bad verify of, Google 'Aviator' log, F +Verify of, Google 'Rocketeer' log, T +Bad verify of, Google 'Rocketeer' log, F diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test new file mode 100644 index 0000000000..01ed128541 --- /dev/null +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test @@ -0,0 +1,31 @@ +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) + { + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; + + if ( |f$conns| != 1 ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + + print "Verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp, hash_algorithm); + print "Bad verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp+1, hash_algorithm); + } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index d0eaacd096..0b9c5fc157 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -1,7 +1,39 @@ # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT # @TEST-EXEC: btest-diff .stdout +export { + type LogInfo: record { + version: count; + logid: string; + timestamp: count; + sig_alg: count; + hash_alg: count; + signature: string; + }; +} + +redef record SSL::Info += { + ct_proofs: vector of LogInfo &default=vector(); +}; + event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature); + } + +event ssl_established(c: connection) + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + + for ( i in c$ssl$ct_proofs ) + { + local log = c$ssl$ct_proofs[i]; + + print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg); + print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg); + } } From 41a2028dee5b6a885e645386d1c71f49000e8611 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 17 Mar 2017 13:53:50 -0700 Subject: [PATCH 205/288] SCT: only compare correct OID/NID for Cert/OCSP. The old way of doing it did not really cause problems - but now only the OID that can be used in practice is checked. --- src/file_analysis/analyzer/x509/OCSP.cc | 2 +- src/file_analysis/analyzer/x509/X509.cc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 7a6a3c9a12..6ce51f9dd3 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -345,7 +345,7 @@ clean_up: void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { #ifdef NID_ct_cert_scts - if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts ) #else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 ) #endif diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index f9ec91c9d1..b26bd4a1da 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -241,9 +241,9 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa ParseSAN(ex); #ifdef NID_ct_cert_scts - else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else - else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) + else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) #endif ParseSignedCertificateTimestamps(ex); } From 115a676d0838ed1e70b97b5943fcda652bdbdf57 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 17 Mar 2017 15:53:47 -0700 Subject: [PATCH 206/288] SCT: Allow verification of SCTs in Certs. This is much more complex than the TLS Extension/OCSP cases. We need to first alter the certificate and remove the extension from it, before extracting the tbscert. Furthermore, we need the key hash of the issuing certificate to be able to validate the proof - which means that we need a valid certificate chain. Missing: documentation, nice integration so that we can just add a script and use this in Bro. --- .../policy/protocols/ssl/validate-certs.bro | 39 ++- src/file_analysis/analyzer/x509/functions.bif | 286 +++++++++++------- .../.stdout | 8 + .../x509/signed_certificate_timestamp.test | 55 ++++ 4 files changed, 277 insertions(+), 111 deletions(-) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 97072e4cab..5ab2017cc6 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -19,12 +19,17 @@ export { redef record Info += { ## Result of certificate validation for this connection. validation_status: string &log &optional; + ## Result of certificate validation for this connection, given + ## as OpenSSL validation code. + validation_code: count &optional; + ## Ordered chain of validated certificate, if validation succeeded. + valid_chain: vector of opaque of x509 &optional; }; - ## MD5 hash values for recently validated chains along with the + ## Result values for recently validated chains along with the ## validation status are kept in this table to avoid constant ## validation every time the same certificate chain is seen. - global recently_validated_certs: table[string] of string = table() + global recently_validated_certs: table[string] of X509::Result = table() &read_expire=5mins &redef; ## Use intermediate CA certificate caching when trying to validate @@ -39,6 +44,11 @@ export { ## that you encounter. Only disable if you want to find misconfigured servers. global ssl_cache_intermediate_ca: bool = T &redef; + ## Store the valid chain in c$ssl$valid_chain if validation succeeds. + ## This has a potentially high memory impact, depending on the local environment + ## and is thus disabled by default. + global ssl_store_valid_chain: bool = F &redef; + ## Event from a worker to the manager that it has encountered a new ## valid intermediate. global intermediate_add: event(key: string, value: vector of opaque of x509); @@ -83,7 +93,7 @@ event SSL::new_intermediate(key: string, value: vector of opaque of x509) } @endif -function cache_validate(chain: vector of opaque of x509): string +function cache_validate(chain: vector of opaque of x509): X509::Result { local chain_hash: vector of string = vector(); @@ -97,7 +107,10 @@ function cache_validate(chain: vector of opaque of x509): string return recently_validated_certs[chain_id]; local result = x509_verify(chain, root_certs); - recently_validated_certs[chain_id] = result$result_string; + if ( ! ssl_store_valid_chain && result?$chain_certs ) + recently_validated_certs[chain_id] = X509::Result($result=result$result, $result_string=result$result_string); + else + recently_validated_certs[chain_id] = result; # if we have a working chain where we did not store the intermediate certs # in our cache yet - do so @@ -120,7 +133,7 @@ function cache_validate(chain: vector of opaque of x509): string } } - return result$result_string; + return result; } event ssl_established(c: connection) &priority=3 @@ -133,7 +146,7 @@ event ssl_established(c: connection) &priority=3 local intermediate_chain: vector of opaque of x509 = vector(); local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer; local hash = c$ssl$cert_chain[0]$sha1; - local result: string; + local result: X509::Result; # Look if we already have a working chain for the issuer of this cert. # If yes, try this chain first instead of using the chain supplied from @@ -145,9 +158,12 @@ event ssl_established(c: connection) &priority=3 intermediate_chain[i+1] = intermediate_cache[issuer][i]; result = cache_validate(intermediate_chain); - if ( result == "ok" ) + if ( result$result_string == "ok" ) { - c$ssl$validation_status = result; + c$ssl$validation_status = result$result_string; + c$ssl$validation_code = result$result; + if ( result?$chain_certs ) + c$ssl$valid_chain = result$chain_certs; return; } } @@ -163,9 +179,12 @@ event ssl_established(c: connection) &priority=3 } result = cache_validate(chain); - c$ssl$validation_status = result; + c$ssl$validation_status = result$result_string; + c$ssl$validation_code = result$result; + if ( result?$chain_certs ) + c$ssl$valid_chain = result$chain_certs; - if ( result != "ok" ) + if ( result$result_string != "ok" ) { local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 161a009515..83e73e5d46 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -140,6 +140,33 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid) return 0; } +const EVP_MD* hash_to_evp(int hash) + { + switch ( hash ) + { + case 1: + return EVP_md5(); + break; + case 2: + return EVP_sha1(); + break; + case 3: + return EVP_sha224(); + break; + case 4: + return EVP_sha256(); + break; + case 5: + return EVP_sha384(); + break; + case 6: + return EVP_sha512(); + break; + default: + return nullptr; + } + } + %%} ## Parses a certificate into an X509::Certificate structure. @@ -544,7 +571,7 @@ x509_verify_chainerror: return rrecord; %} -function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count%): bool +function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool %{ assert(cert); file_analysis::X509Val* h = (file_analysis::X509Val*) cert; @@ -553,21 +580,73 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa assert(sizeof(timestamp) >= 8); uint64_t timestamp_network = htonll(timestamp); + bool precert = issuer_key_hash->Len() > 0; + if ( precert && issuer_key_hash->Len() != 32) + { + reporter->Error("Invalid issuer_key_hash length"); + return new Val(0, TYPE_BOOL); + } + std::string data; data.push_back(0); // version data.push_back(0); // signature_type -> certificate_timestamp - data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits - data.append("\0\0", 2); // entry-type: x509_entry + data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits + if ( precert ) + data.append("\0\1", 2); // entry-type: precert_entry + else + data.append("\0\0", 2); // entry-type: x509_entry + + if ( precert ) + { + x = X509_dup(x); + assert(x); + #ifdef NID_ct_precert_scts + int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); + if ( pos < 0 ) + { + reporter->Error("NID_ct_precert_scts not found"); + return new Val(0, TYPE_BOOL); + } + #else + int num_ext = X509_get_ext_count(x); + int pos = -1; + for ( int k = 0; k < num_ext; ++k ) + { + char oid[256]; + X509_EXTENSION* ex = X509_get_ext(x, k); + ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); + OBJ_obj2txt(oid, 255, ext_asn, 1); + if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) + { + pos = k; + break; + } + } + #endif + X509_EXTENSION_free(X509_delete_ext(x, pos)); + assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 ); + } unsigned char *cert_out = nullptr; - uint32 cert_length = i2d_X509(x, &cert_out); + uint32 cert_length; + if ( precert ) + { + // we also could use i2d_re_X509_tbs, for OpenSSL >= 1.0.2 + x->cert_info->enc.modified = 1; + cert_length = i2d_X509_CINF(x->cert_info, &cert_out); + data.append(reinterpret_cast(issuer_key_hash->Bytes()), issuer_key_hash->Len()); + } + else + cert_length = i2d_X509(x, &cert_out); assert( cert_out ); uint32 cert_length_network = htonl(cert_length); assert( sizeof(cert_length_network) == 4); - data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length - data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate + data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length + data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate OPENSSL_free(cert_out); + if ( precert ) + X509_free(x); data.append("\0\0", 2); // no extensions // key is given as a DER-encoded SubjectPublicKeyInfo. @@ -580,31 +659,11 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa string errstr; int success = 0; - const EVP_MD* hash; - // numbers from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 - switch ( hash_algorithm ) + const EVP_MD* hash = hash_to_evp(hash_algorithm); + if ( ! hash ) { - case 1: - hash = EVP_md5(); - break; - case 2: - hash = EVP_sha1(); - break; - case 3: - hash = EVP_sha224(); - break; - case 4: - hash = EVP_sha256(); - break; - case 5: - hash = EVP_sha384(); - break; - case 6: - hash = EVP_sha512(); - break; - default: - errstr = "Unknown hash algorithm"; - goto sct_verify_err; + errstr = "Unknown hash algorithm"; + goto sct_verify_err; } if ( ! key ) @@ -638,6 +697,93 @@ sct_verify_err: return new Val(0, TYPE_BOOL); %} + +%%{ +/** + * 0 -> subject name + * 1 -> issuer name + * 2 -> pubkey + */ +StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type) + { + assert(cert_handle); + + if ( type > 2 ) + { + reporter->InternalError("Unknown type in x509_entity_hash"); + return nullptr; + } + + X509 *cert_x509 = cert_handle->GetCertificate(); + if ( cert_x509 == nullptr ) + { + builtin_error("cannot get cert from opaque"); + return nullptr; + } + + X509_NAME *subject_name = X509_get_subject_name(cert_x509); + X509_NAME *issuer_name = X509_get_issuer_name(cert_x509); + if ( subject_name == nullptr || issuer_name == nullptr ) + { + builtin_error("fail to get subject/issuer name from certificate"); + return nullptr; + } + + const EVP_MD *dgst = hash_to_evp(hash_alg); + if ( dgst == nullptr ) + { + builtin_error("Unknown hash algorithm."); + return nullptr; + } + + unsigned char md[EVP_MAX_MD_SIZE]; + memset(md, 0, sizeof(md)); + unsigned int len = 0; + + int res = 0; + + ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509); + if ( key == 0 ) + { + printf("No key in X509_get0_pubkey_bitstr\n"); + } + + if ( type == 0 ) + res = X509_NAME_digest(subject_name, dgst, md, &len); + else if ( type == 1 ) + res = X509_NAME_digest(issuer_name, dgst, md, &len); + else if ( type == 2 ) + { + unsigned char *spki = nullptr; + int pklen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert_x509), &spki); + if ( ! pklen ) + { + builtin_error("Could not get SPKI"); + return nullptr; + } + res = EVP_Digest(spki, pklen, md, &len, dgst, nullptr); + OPENSSL_free(spki); + } + + if ( ! res ) + { + builtin_error("Could not perform hash"); + return nullptr; + } + + assert( len <= sizeof(md) ); + + return new StringVal(len, reinterpret_cast(md)); + } +%%} + +function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string + %{ + file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + + return x509_entity_hash(cert_handle, hash_alg, 0); + %} + ## Get the hash of issuer name of a certificate ## ## cert: The X509 certificate opaque handle. @@ -649,78 +795,16 @@ sct_verify_err: ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_verify -function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string +function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ - assert(cert); - assert(hash_alg); - file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; - X509 *cert_x509 = cert_handle->GetCertificate(); - if (cert_x509 == NULL) - { - builtin_error("cannot get cert from opaque"); - return NULL; - } - X509_NAME *issuer_name = NULL; - StringVal *issuer_name_str = NULL; - issuer_name = X509_get_issuer_name(cert_x509); - if (issuer_name == NULL) - { - builtin_error("fail to get issuer name from certificate"); - return NULL; - } - - const char* h = hash_alg->CheckString(); - if (h == NULL) - { - builtin_error("fail to get hash algorithm from input"); - return NULL; - } - - const EVP_MD *dgst; - if (strcmp(h, "sha1") == 0) - dgst = EVP_sha1(); - else if (strcmp(h, "sha224") == 0) - dgst = EVP_sha224(); - else if (strcmp(h, "sha256") == 0) - dgst = EVP_sha256(); - else if (strcmp(h, "sha384") == 0) - dgst = EVP_sha384(); - else if (strcmp(h, "sha512") == 0) - dgst = EVP_sha512(); - else - { - reporter->Error("Unknown digest!"); - return NULL; - } - if (dgst == NULL) - { - builtin_error("fail to allocate digest"); - return NULL; - } - - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int len = 0; - ASN1_OCTET_STRING *oct_str = ASN1_STRING_type_new(V_ASN1_OCTET_STRING); - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - char buf[1024]; - memset(buf, 0, sizeof(buf)); - - if (!X509_NAME_digest(issuer_name, dgst, md, &len)) - goto err; - if (!ASN1_OCTET_STRING_set(oct_str, md, len)) - goto err; - if (i2a_ASN1_STRING(bio, oct_str, V_ASN1_OCTET_STRING) <= 0) - goto err; - new_len = BIO_read(bio, buf, sizeof(buf)); - if (new_len > 0) - issuer_name_str = new StringVal(new_len, buf); - - //NOTE: the result string may contain "\\x0a" for sha384 and sha512 - // probably need to remove it from here? -err: - BIO_free_all(bio); - return issuer_name_str; + return x509_entity_hash(cert_handle, hash_alg, 1); + %} + +function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string + %{ + file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + + return x509_entity_hash(cert_handle, hash_alg, 2); %} diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout index a27331e535..e11616d745 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -2,3 +2,11 @@ 0, Google 'Rocketeer' log, 1474927232.863, 4, 3 0, Google 'Aviator' log, 1474927232.112, 4, 3 0, Google 'Pilot' log, 1474927232.304, 4, 3 +Verify of, Symantec log, T +Bad verify of, Symantec log, F +Verify of, Google 'Rocketeer' log, T +Bad verify of, Google 'Rocketeer' log, F +Verify of, Google 'Aviator' log, T +Bad verify of, Google 'Aviator' log, F +Verify of, Google 'Pilot' log, T +Bad verify of, Google 'Pilot' log, F diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index c0fe06d4d3..8bb920ee71 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,62 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout +@load protocols/ssl/validate-certs + +redef SSL::ssl_store_valid_chain = T; + +export { + type LogInfo: record { + version: count; + logid: string; + timestamp: count; + sig_alg: count; + hash_alg: count; + signature: string; + }; +} + +redef record SSL::Info += { + ct_proofs: vector of LogInfo &default=vector(); +}; + event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) { print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; + + if ( |f$conns| != 1 ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature); + } + +event ssl_established(c: connection) + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + if ( |c$ssl$valid_chain| < 2 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4); + + for ( i in c$ssl$ct_proofs ) + { + local log = c$ssl$ct_proofs[i]; + + print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash); + print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash); + } } From 22b1eda472a3dc2c6584dc7734cbf6beb48b83b5 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 21 Mar 2017 18:55:43 -0700 Subject: [PATCH 207/288] SCT: Add signed certificate timestamp validation script. This also rewrites the certificate validation script (which we need for this) slightly. This could need a bit of caching, but should generally work very reliably. --- .../policy/protocols/ssl/validate-certs.bro | 27 ++- scripts/policy/protocols/ssl/validate-sct.bro | 173 ++++++++++++++++++ .../.stdout | 17 ++ .../ssl-all.log | 20 ++ .../tls/signed_certificate_timestamp-2.pcap | Bin 0 -> 7982 bytes .../policy/protocols/ssl/validate-sct.bro | 21 +++ 6 files changed, 249 insertions(+), 9 deletions(-) create mode 100644 scripts/policy/protocols/ssl/validate-sct.bro create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-sct.bro diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 5ab2017cc6..4c100ac413 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -120,8 +120,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result |result$chain_certs| > 2 ) { local result_chain = result$chain_certs; - local icert = x509_parse(result_chain[1]); - if ( icert$subject !in intermediate_cache ) + local isnh = x509_subject_name_hash(result_chain[1], 4); # SHA256 + if ( isnh !in intermediate_cache ) { local cachechain: vector of opaque of x509; for ( i in result_chain ) @@ -129,33 +129,42 @@ function cache_validate(chain: vector of opaque of x509): X509::Result if ( i >=1 && i<=|result_chain|-2 ) cachechain[i-1] = result_chain[i]; } - add_to_cache(icert$subject, cachechain); + add_to_cache(isnh, cachechain); } } return result; } -event ssl_established(c: connection) &priority=3 +# The server issues CCS only after sending the certificates. This should +# be more robust than using SSL_established, on the off chance that we don't +# get that event. +# +# This is not TLSv1.3 compatible - but we will not have certificates in +# that case in any way, so it even saves us a few cycles. +event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3 { + if ( is_orig ) + return; + # If there aren't any certs we can't very well do certificate validation. if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) return; local intermediate_chain: vector of opaque of x509 = vector(); - local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer; + local issuer_name_hash = x509_issuer_name_hash(c$ssl$cert_chain[0]$x509$handle, 4); # SHA256 local hash = c$ssl$cert_chain[0]$sha1; local result: X509::Result; # Look if we already have a working chain for the issuer of this cert. # If yes, try this chain first instead of using the chain supplied from # the server. - if ( ssl_cache_intermediate_ca && issuer in intermediate_cache ) + if ( ssl_cache_intermediate_ca && issuer_name_hash in intermediate_cache ) { intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle; - for ( i in intermediate_cache[issuer] ) - intermediate_chain[i+1] = intermediate_cache[issuer][i]; + for ( i in intermediate_cache[issuer_name_hash] ) + intermediate_chain[i+1] = intermediate_cache[issuer_name_hash][i]; result = cache_validate(intermediate_chain); if ( result$result_string == "ok" ) @@ -188,7 +197,7 @@ event ssl_established(c: connection) &priority=3 { local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, - $sub=c$ssl$subject, $conn=c, + $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c, $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]); } } diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro new file mode 100644 index 0000000000..1d3db58494 --- /dev/null +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -0,0 +1,173 @@ +##! Perform validation of Signed Certificate Timestamps, as used +##! for Certificate Transparency. See https://tools.ietf.org/html/rfc6962 +##! for more details. + +@load base/protocols/ssl +@load protocols/ssl/validate-certs + +# We need to know issuer certificates to be able to determine the IssuerKeyHash, +# which is required for validating certificate extensions. +redef SSL::ssl_store_valid_chain = T; + +module SSL; + +export { + + type SctSource: enum { + SCT_X509_EXT, + SCT_TLS_EXT, + SCT_OCSP_EXT + }; + + type SctInfo: record { + version: count; + logid: string; + timestamp: count; + sig_alg: count; + hash_alg: count; + signature: string; + source: SctSource; + valid: bool &optional; + }; + + redef record Info += { + valid_scts: count &optional; + invalid_scts: count &optional; + valid_ct_logs: count &log &optional; + valid_ct_operators: count &log &optional; + valid_ct_operators_list: set[string] &optional; + }; + +} + +redef record SSL::Info += { + ct_proofs: vector of SctInfo &default=vector(); +}; + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5 + { + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT); + } + +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5 + { + local src: SctSource; + if ( ! f?$info ) + return; + + if ( f$source == "SSL" && f$info$mime_type == "application/ocsp-response" ) + src = SCT_OCSP_EXT; + else if ( f$source == "SSL" && f$info$mime_type == "application/x-x509-user-cert" ) + src = SCT_X509_EXT; + else + return; + + if ( |f$conns| != 1 ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); + } + +# Priority = 2 will be handled after validation is done +event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 + { + if ( is_orig ) + return; + + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + local issuer_name_hash = x509_issuer_name_hash(cert, 4); + local valid_proofs = 0; + local invalid_proofs = 0; + c$ssl$valid_ct_operators_list = string_set(); + local valid_logs = string_set(); + local issuer_key_hash = ""; + + for ( i in c$ssl$ct_proofs ) + { + local proof = c$ssl$ct_proofs[i]; + if ( proof$logid !in SSL::ct_logs ) + { + # Well, if we don't know the log, there is nothing to do here... + proof$valid = F; + next; + } + local log = SSL::ct_logs[proof$logid]; + + local valid = F; + + if ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) + { + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg); + } + else + { + # X.509 proof. Here things get awkward because we need information about + # the issuer cert... and we need to try a few times, because we have to see if we got + # the right issuer cert. + # + # First - Let's try if a previous round already established the correct issuer key hash. + + if ( issuer_key_hash != "" ) + { + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + } + + # Second - let's see if we might already know the issuer cert through verification. + if ( ! valid && issuer_name_hash in intermediate_cache ) + { + issuer_key_hash = x509_spki_hash(intermediate_cache[issuer_name_hash][0], 4); + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + } + if ( ! valid && c$ssl?$valid_chain && |c$ssl$valid_chain| >= 2 ) + { + issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4); + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + } + # ok, if it still did not work - let's just try with all the certs that were sent + # in the connection. Perhaps it will work with one of them. + + if ( !valid ) + for ( i in c$ssl$cert_chain ) + { + if ( i == 0 ) # end-host-cert + next; + + issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4); + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + if ( valid ) + break; + } + } + + proof$valid = valid; + if ( valid ) + { + ++valid_proofs; + add c$ssl$valid_ct_operators_list[log$operator]; + add valid_logs[proof$logid]; + } + else + ++invalid_proofs; + } + + c$ssl$valid_scts = valid_proofs; + c$ssl$invalid_scts = invalid_proofs; + c$ssl$valid_ct_operators = |c$ssl$valid_ct_operators_list|; + c$ssl$valid_ct_logs = |valid_logs|; + } diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout new file mode 100644 index 0000000000..ec22e1c01b --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout @@ -0,0 +1,17 @@ +[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1410299366023, sig_alg=3, hash_alg=4, signature=0E\x02 )\x89\xd6\xb0S\xd3\xd2\xe9\x91\xbc\xf1\xb5@\xbe\x1e.\xe7\\xb4t'\xed\x8f\x9b\x02\xe9\xfa\xc2L\xba\xa2\xbe\x02!\x00\xafCdRq\x15)X@\x91\xc7\x08\x16\x96\x03\xa8s\xa5e\xa0l\xb8HVZ\xb6)\x83dm*\x9d, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_OCSP_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_OCSP_EXT, valid=T]] +Google 'Pilot' log, T +Google 'Aviator' log, T +Google 'Rocketeer' log, T +Google 'Pilot' log, T +Google 'Aviator' log, T +[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487726002208, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x89\x82s\x17\xd9\xcbo\xcf\xc3\xba\x91{\xeb\xe8\xf1\xbe\xc8)\x97\x1e\xe8A\x99P\x00\xaa\xb4\x15\xd97\x93\xca\x02!\x00\xca\xcd\xec\x9e\x12\xeed/v\xf5\xc32\xba\x92S\xe0 }\x85k\xe7\xd4TRp\xe8\x8d~\xba\x9d\x12\x16, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xac;\x9a\xed\x7f\xa9gGW\x15\x9em}WVr\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa11;ux-, timestamp=1487726003188, sig_alg=1, hash_alg=4, signature=\x04\xed\x08\xca\x8e\x1b\x8ba$\xe5\xe8{Y\x96'+\x06\x86\x87o\x1a=i5\x91\xc3\xfd\xf6\xbe\xeao;\xc8\x1c\x01j\xc0\x14\xea\x06\xd3\xe3#w,\x07\x06\xc3\xd0\xdc\xf2L:\xb0{\xfd.\x00\xdf\xc2\xb8w(\xaak\xfe^\xa0\x05\xe1\x84\xad\x1a!\xf2@/J\xcc\xcb8\xbb\xfa`;CF\F\x97t\xfew\xf5y\xfcZ\x08\xb82\x8c\x1dk, timestamp=1487726024253, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x99\x8c\xa5+u\xe1t\x08\x0a\xa9!\xed)\x9b\xb6\xccx\x8d0VN,RZ2\xd93\xdc\xa7 \xa5\xd3\x02!\x00\xc8\xde\x96\x8d\x02\xd6\xfcx\xdbM \x06\x1cq\xe5\x10\xe3 \x18B\\x1d1\x88\xb0\xeb\xf3\xf2\x9b\x99X\xb4, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487726001197, sig_alg=3, hash_alg=4, signature=0E\x02 F\xc2\xfb\x02\xfd\xa3RNy_\x16^\xb54-S\x90\xdbK\x97\x87\x00\x93\xa1\x0d'\xc0<\xbeu\xc4\xab\x02!\x00\xb4\x93\xbb\xe2\xee\x14X\xd4\xcf\xa4\xc1\xd8\xcf\xdaAoaD\xf0\xbbM7\xdb\xb0\xec\xca\x0f\x18\xcbe\x8d\xe9, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487726002855, sig_alg=3, hash_alg=4, signature=0D\x02 I\x06\xb4\x84Zo\xf49\x85\xd2\xbb\xc8\x8bb\x9b\xac\xbd\x84\x00\xf2f\xd0\x14\x0cV\x15_\xc7\x09&\xc1\x9f\x02 M\x0c\x05\x01ab\xe5\x97\xf9\xf8'\x02\xf4\x198\x97\xd2>xa\xc2\xda\xc1saw\xd8]\xc8\x97\xd6], source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487726000774, sig_alg=3, hash_alg=4, signature=0E\x02!\x00\xb1\x1atJ4\x80\xbd\xc5\x97\x7f(\xae^N\xe3WE-AO\x14X\x0aB\x1e\xc4\xb36\x00TVg\x02 o1hk\xec\x9fFG\xa4\xd2&\x97>E\x87\x7f\xcf\x1c\xc8\xdb>j\xc9\xde\xf5\x1e\x97\xf8\xc3e\xcc\x11, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487725321667, sig_alg=3, hash_alg=4, signature=0E\x02 S\xc6N8\xf0\x84\xe5\xc8\xf5C\x87\xf6\xedU\x10\x0b}u2\xd2\x08+\x04\xbbS\xf6a\xc1\xb0\x94\x04\xc3\x02!\x00\xf4\xa2g\xa5!_\xee\x13\xd5\x0f\xd1\xb2\xe8o\x99\x10m\xa9\x0f\xd7W\xd5IH\xaa\x89\xdews\xe3=\x95, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487725322003, sig_alg=3, hash_alg=4, signature=0D\x02 \x04\x9d.\x13Q\xed\xed\xf1l\x9f\xa1\x94\x9dd\xfe\x9c0V|\xb6\xa8|9L5/\xaa\x19\xc7*\xed\xcf\x02 0\x0e+\xe3\xa4S\xfe\x85\xa6X\xcc\x06\xf2\x13\xe9\x0a\x87\xa0I\xdf\x8dr\x13xb\x12\x8c\xe6\xdd\x8f\xa8\xde, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487725322768, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xd37.:`\x98\x08\xb8\xf8\xc0\xad\xb1z\xe2]\x00\xb8\x08"\x97\xc8P\xeb1\x97\x16\x95!\xd0T\xb5\xd6\x02!\x00\xfe\xb8\xa3\xbf\x12\xb6%\x97\x9b\x0f\x0f\x9fc\xccP\xa0\x07\x0c\xe9\xf2\xda\xe9\\x0a\x8e\xeag\x8a\x131\x96?, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487725321891, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xe7\x14'\xc8\x03?\xfc\xf1\xc6\x86\xe4g\xb6s\x034<\xf0\x96\xf0\xe0\x1a\xb8\x953\xe0\xf8U\x1d\x1c\xbf\xe6\x02!\x00\xcag\xf24\xcc\x86\x1aYd\xfb{\x82N\xeb,\xa3\xecu\xf1i\x01\xbc\xd4b\x1a\x9e\xa8\xc4\xca\x8f\x01\x8b, source=SSL::SCT_X509_EXT, valid=T]] +Google 'Pilot' log, T +Venafi log, T +Venafi Gen2 CT log, T +DigiCert Log Server, T +Google 'Rocketeer' log, T +Google 'Skydiver' log, T +Google 'Pilot' log, T +DigiCert Log Server, T +Google 'Rocketeer' log, T +Google 'Skydiver' log, T diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log new file mode 100644 index 0000000000..0696d31ffe --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log @@ -0,0 +1,20 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-03-22-01-52-35 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status valid_ct_logs valid_ct_operators +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string count count +1484228945.191472 CHhAvVGS1DHFjwGM9 192.168.178.73 60640 97.107.139.108 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 ritter.vg F - http/1.1 T FDWgotac24NQJKrRi,FUHPFD4bNbAmVvzf99,FL5BECVkzTuWWefyh (empty) CN=ritter.vg,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - ok 3 1 +#close 2017-03-22-01-52-35 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-03-22-01-52-36 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status valid_ct_logs valid_ct_operators +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string count count +1490146178.647622 CHhAvVGS1DHFjwGM9 192.168.17.58 51995 97.107.139.108 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 ritter.vg F - h2 T Fui6LM65IdSB9LD25,FIwxeCtbWPXg98zO1 (empty) CN=ritter.vg,O=Tom Ritter\\, LLC,L=Urbana,ST=Illinois,C=US,serialNumber=0600438893,jurisdictionST=New Jersey,jurisdictionC=US,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - ok 6 3 +#close 2017-03-22-01-52-36 diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap new file mode 100644 index 0000000000000000000000000000000000000000..6d19d32049e4b5bcf2359f535836261fb4d8a2cf GIT binary patch literal 7982 zcmd^Ec{o+w+ur+39USA4c{q}x#M#G?LWT+<5@pI8$Iu}n^HkxKql7f7M8sQBN`(w5 z(jZi#Od&%98A3>eZ*5+^rM~y~{{H&@`1Zcmb?v?OUiba1wVri9&tCgw`OP#8goFM* za1ab`m~}5~#tI0K8MsDEfn2YBv~@78?2*oWBBT#Ny7C3OkS@W}p!71Y2HoSZXO$>i z{5qsv6-COy%*?P{AP9rQ=fYSl9)^kR@v^U#(Puc!9Qv6zY|vV8kCr*yISznMfdGmw zq(q4Oh$5p5aB-FBVX9#aU{H(T3wqFCJco|MV6jAifZE#%5Lbe0wESYPytOTA@6wV5 z_NoEY!{$5`D4=N$ey_zgnmzfm&9;HK4-mAZxtR=;F=TA1LMgR$MJZC9S$(;b zT*?ofgOVXCqz17As2f>X5HtfWK-VBHhy+1wzV811uD(iv3`h{vNrS=(@k4w#ED?u; z@mL}r4-*Ll7z0Ci2tV5n;sY=7pv^IE%0xGR|J_uY5-q?S)N(-JJxCr>fROhL15e%Aeu#1R<^I@@A3>Jpi z!AS%d;=n8+aN;0N7!wnNVlIY00;>Nf2kMZu;Uq{4^cO9^xVU`bH0t7YUlzFd;nyLZ z8s7Tbn_u+3Pk>Miw5Rfp9B zmXo($Jf(*5xCbn5I-iZfPn?-)IpS`46Dp-b*qbQ%oX>GUI4lI58uc<@1H^}o#l}EE zP(~qJLavYve{?bVLN#MIyO!E%+*i>z1zkZ;xhgnYcpwP2bEfN3z^cbW8xRAG6m*E` zC)iZw{k**BXjpIe(A|nEN4#zX z5Ca#*^%E=OMGw=LzUvONJte0=U`2b2tZ`R6T0S*)_oKIFg&4fEl>Z~4u1h*-#Ues^ zP0R2`jhwJ4CFsrlf*|=UkLm5H_>KeFB2vS;RO9NZRmBsIn(GYgwOj?8cj!|?ZF*}$ z7H@miIdFa4W5DKE#wya4#eo+ypof+_y?gF#Y~vL_9-egf26=L*YEm_7cxRb^4wIp| z9PfT+xm!o|qS}Cpjdh8Ik=qns%t(}GL~IWXEKqpp(^vW-0pbmtvd!J$As3dhWn{yq zDe%c zhd+@$Q>uSiQhs%C9Aag*!op6uNu}iy<EPG zF+}t+6odPdn5lFNvk(V??Rlz-mI<#-5~HExX`FJUT6Y5;Tmihf$BR1$_-$T3&nRnr z-mK?MUq4uEs{T5suaaA+$~CSB3V;SoN^S={b1dpu>n?evBV|WA_dbUl-^TsWgRn!P zm#3=cc-LN<qWq#BamCR^q{}mCzO| z28QBIbMxpsZ(x{FE1RgTA07T&tm3uy&L?f75{cvGuGPFi)bS7&h&ou}q?a5JsRklF zg@~L8lgNfJ2}7w^42;3>aBEEyFSaI(sP8*CJYuS~5#c1TEoW_Dec^;*4m^Ye&^Qn_ z0(L8oK*nsfq%B6s=nXrWwBDWJzRuOxpJL?YOcO=~(P|DdPf$>hk_&j`3?3;td+(yD zBFg9^ELq`u3(F09$`t)ze^)OTR~L#E-P7HL?(gpHMX_}C4RrOTtkXjz1UYHyh_W&b znLX^l?J97)lBSH_+aZw;Y2t_|3d~L7H}`c9r2D&4Hu*B>Uhbi@STr)iOW;r-z&Mzx zu7!cIv*wE;!ar7G$n0jWK@?+GUq9E7*%km0Pi99}B8aNWs#U91e(pUl!i`cA$wVVh zPj@eGcRw087%)(^h)me(>qPgW(}WNKw1S%{OPesBd_6b$VLML-?J-wY? zcxIX6(9N6T{q-)G`wqtO!#CfbYX6eFGlR*&L)?&6MK5KSRgSFpT9N3P!tWnrYrn6P zL*j^xvs}@{=Ig>wiYlbVJjx|GrcJNLRDJQBcu_sHPuurt^0iK>NL;ZH*E;yrl7k$wqe^aU=Q0FIw2`0YhraLOIu z2vS^&lZh<1!RJ^c0Da7h^FlnCf6pY76ZQP>`4^KkcNxe)7Xfp2S^QKZ;P1U_uEL4# z=jXZ8MakO>ECHs_a;4utLAX#_ZWx}y;jkEd>YSA_I01y8Km>k{$1lRd->)!pR!X8) zBC4s%sR&C6P3|Cz?g+{L0xBVi7X=E8IdFyMj{W+w}D~Y9wZc5 zI)9JAETO;p1mZLc}TBip_!yh4` z{UW2Ik3rDo`GvqfD=zgR7#s%2gg=1N1$O|o|5y2sRcrZowWnA>v?Oz2|t2gAogBvbciM+YLf5`KE+KFVB>2rwHp8U&uR&P|JW(hxD-v1m!LAVsU zGAyT~F4|NRhRHqb(Wypn;(W=$PJFTNTaR3B14+ccim6teAnp5}?$xO)X*ixH7L1o> z-w5se11cacNvtsMr6mfSl&aa1R}cC-U66i{FJC4xiJSYpbG3QuB2v$AbB{fH{6|I% znRZGC5dW*FYSoth1MvrbxeBb#x1mR@w~Ty0tg6=Fslj%Uf|Dxk<6FhW?!5=Zm5gE4 zYL7YD(&^|nkW(OTwUMLIX)1I#DY^H6LB<~h)9juaA+54h zZ7KDX_>N8C5_?Soq&`}F9=%5JjdH7Th-es(x#zQ{R_m1&S>@zmRQVf#@;?LL=4e@% z^W#d3U^M4{ZvV6LTYR2Xej%uzV?P85N?sal&}H`*v`B?MS6iH5Sh}Au4v8)x>|t{w zk@ucaZ75E;ThQPwnBIOCqA2z?1&U-(boM(qtGdUWrt5OPDYf+A$RIv_8PTJ#HQ7P$ zqSAHPqtZcj@~KIyl*tU?lQNY@`)Cp__rMY-BY~Z=TU(YeI&^&^ViQN3i@zMrs!{PM z>Ub_#N9X^Fm{f>5ib=Fye-)ez;fjDf=OavP%3rw&DI{}!PAu<9$}ze_r-%6d1!IqR z{v4hE``knUSq7Fhh{#Lkm4LFro#95&^YaVvrF%KMQuM7T7T(_e^C^i64b4gBau7jI zBJv2=(C z(NPk~x-4O$zRX|HI2(*Sku`Hcb|r!)*EkSwq5mqr z{+-|aHvRcAKf0k^?v5S5X9&MMEh|FAd~$YCC||G)XC*K>zb1jz!NT-EOdV7e^Dm1F ztY)!a9yE?wTdz}*X_~!A^)emPxgIXnv$6)!xNxwEJqPIGj<*t6_Zw zRkucC`K>Nftfx>?WdjsSJrbpnF+S})i2pQ;m&5;A{dZ5WWYcPmB7 zP~F@&Hk>J1>vTjBYu8*}k@jqb#RbT@*RRN@!bna!(IqNn6<4;in^uuUq)kZr3eual zUA?s7qSQT}Ln~f(lms16$39cet2i4eVtmX@)8K5>^!^K9Q)1JrIk(?h^Bfm^gr7f5 z`P^gZqWy!sw5@S=R&E(fc4uit`ZOh9*4G?)H+Erj>*Fw|Zf}x*Z$b0;y=cx5^P>q# zLYhZy<%ZPc$ya3ez4{UgKGoni0ucNfq^k|UU+cg&Un&!>2A35Cwz(t^0dB{H3qe&L z5}9%VB&olfL?Lcv1bjfL0I8y>f{!RW#1HX7jKHTHUV#gX5y3+^exs3+7@>QCgwqe( zbQRq+eRjTm&-y*uub+t#&@T+Byx*(T5kw7qLfQS!Q%=;B6+SZ+)-GY&l}f$JbtYJA zCGWWz;Zz-ovv!d(9OUHut1n0t@rBxoui>3cip$v5dECpoOg z4GKJBjN{G=I&5I+)7NvB{Ymdp%EUMlKus~QuC$abz-#{<{r9pf?gw}?6NP`xLa zvyN(Vh3~EE)RVKJPecVCBxdY!B2Wz-#_IX$OT4yTvhmlj5kFWw)#^5&(kL)`-t~P- zu+_N0?Suw~B-sVWZyWtWhh7&TvoXBE@KU9?ZBJf=rR|=2>f|!@eyQ7CA{Tl+#oL~r zT^xS@=4C~$7#*l^X{P8QwM&QhXks=U&HA)~4S(7($EG9*Ho`)JdN`X!;X7DY zImewg!r@Y9+YgjIX5d#XT@m1w_U7zOj#xr^VK-G~Vwp9+|Jp}RhhK-q?bs0-rl>Ri zm1R1yc*~#+&@f2OQmxRuOUAi&f02J#vFP!Q^egD}@-l^}@I83$pY|bN@;Z`w+ zBKXfJPO~VvzoJ-!zXp;KE?fQ$3fDM_vPqF@q=;ym?R6z~V5U14^s7%~89{8~NSjDdq(4K5kUx+_iH zXD)qO@WM7*X24}LzV|0o1az`hrmQF1&T}je3fmjRb%%tJIVLhZkbYkMrZB}Z{YlHj zX?`$cFpSQdJTPbW@cE)9v!hmzwO(Y(*Rs{H#kgpc=BjdGokhYfq~~4dAL!gNQb`cl zl$*N z2D+JXQEygr;bg6hkMD+#?zgJNK9PwMI5B%2ybyONJS{*KX(a zyglBE)0D4HDYWm%hvnms#OtdzT(>>FJ;%3%9Ez8|x{;&lx{WWT=VoK6a?J-+cjVrS{Gk4PG{)sC+EHwq$YowN2x57}kAGVs}` ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log + +@load protocols/ssl/validate-sct.bro + +module SSL; + +event ssl_established(c: connection) + { + print c$ssl$ct_proofs; + for ( i in c$ssl$ct_proofs ) + { + local proof = c$ssl$ct_proofs[i]; + local log = SSL::ct_logs[proof$logid]; + print log$description, proof$valid; + } + } From aec62aeee9c8a61251ea56b6d73ca0b523ff5d81 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 21 Mar 2017 19:10:53 -0700 Subject: [PATCH 208/288] SCT: Add caching support for validation --- scripts/policy/protocols/ssl/validate-sct.bro | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index 1d3db58494..e28b89de88 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -40,6 +40,9 @@ export { } +global recently_validated_scts: table[string] of bool = table() + &read_expire=5mins &redef; + redef record SSL::Info += { ct_proofs: vector of SctInfo &default=vector(); }; @@ -91,6 +94,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 return; local cert = c$ssl$cert_chain[0]$x509$handle; + local certhash = c$ssl$cert_chain[0]$sha1; local issuer_name_hash = x509_issuer_name_hash(cert, 4); local valid_proofs = 0; local invalid_proofs = 0; @@ -110,12 +114,20 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 local log = SSL::ct_logs[proof$logid]; local valid = F; + local found_cache = F; - if ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) + local validate_hash = sha1_hash(cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature)); + if ( validate_hash in recently_validated_scts ) + { + valid = recently_validated_scts[validate_hash]; + found_cache = T; + } + + if ( found_cache == F && ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) ) { valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg); } - else + else if ( found_cache == F ) { # X.509 proof. Here things get awkward because we need information about # the issuer cert... and we need to try a few times, because we have to see if we got @@ -155,7 +167,11 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 } } + if ( ! found_cache ) + recently_validated_scts[validate_hash] = valid; + proof$valid = valid; + if ( valid ) { ++valid_proofs; From b8e81029f87c858a79b86f85e879e54abebc4347 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 27 Mar 2017 20:13:12 +0000 Subject: [PATCH 209/288] TLS-SCT: compile on old versions of OpenSSL (1.0.1...) --- src/file_analysis/analyzer/x509/functions.bif | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 83e73e5d46..80fc3bb9af 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -600,14 +600,14 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa { x = X509_dup(x); assert(x); - #ifdef NID_ct_precert_scts +#ifdef NID_ct_precert_scts int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); if ( pos < 0 ) { reporter->Error("NID_ct_precert_scts not found"); return new Val(0, TYPE_BOOL); } - #else +#else int num_ext = X509_get_ext_count(x); int pos = -1; for ( int k = 0; k < num_ext; ++k ) @@ -622,9 +622,11 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa break; } } - #endif +#endif X509_EXTENSION_free(X509_delete_ext(x, pos)); +#ifdef NID_ct_precert_scts assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 ); +#endif } unsigned char *cert_out = nullptr; @@ -684,7 +686,14 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa goto sct_verify_err; } +#ifdef NID_ct_precert_scts success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len()); +#else + // older versions of OpenSSL use a non-const-char *sigh* + // I don't think they actually manipulate the value though. + // todo - this needs a cmake test + success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len()); +#endif EVP_MD_CTX_destroy(mdctx); return new Val(success, TYPE_BOOL); From d531a5405ae932425fef157aed0a544a08e986b0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 29 Mar 2017 12:40:14 -0700 Subject: [PATCH 210/288] SSL: Fix type of ssl validation result --- scripts/policy/protocols/ssl/validate-certs.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 4c100ac413..c50da10380 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -21,7 +21,7 @@ export { validation_status: string &log &optional; ## Result of certificate validation for this connection, given ## as OpenSSL validation code. - validation_code: count &optional; + validation_code: int &optional; ## Ordered chain of validated certificate, if validation succeeded. valid_chain: vector of opaque of x509 &optional; }; From 04478acb596adb7824885440f99365b04c9b402e Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Wed, 8 Feb 2017 17:25:51 -0500 Subject: [PATCH 211/288] Fix NFS protocol parser. --- src/analyzer/protocol/rpc/NFS.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 8a2620e2e5..a8434afb74 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -250,8 +250,8 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, analyzer->ConnectionEvent(event, vl); } - - Unref(reply); + else + Unref(reply); return 1; } @@ -646,7 +646,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n) NFS_Analyzer::NFS_Analyzer(Connection* conn) - : RPC_Analyzer("RPC", conn, new NFS_Interp(this)) + : RPC_Analyzer("NFS", conn, new NFS_Interp(this)) { orig_rpc = resp_rpc = 0; } From e69bb37cc79a684a8c66f1fef1b7376e2e973380 Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Tue, 14 Feb 2017 10:23:34 -0500 Subject: [PATCH 212/288] Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName and AuxGIDs --- scripts/base/init-bare.bro | 10 ++++++++++ src/analyzer/protocol/rpc/NFS.cc | 10 ++++++++++ src/analyzer/protocol/rpc/RPC.cc | 14 +++++++++++++- src/analyzer/protocol/rpc/RPC.h | 11 ++++++++++- 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b5bf5d298d..42f75f250c 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2142,6 +2142,16 @@ export { rep_dur: interval; ## The length in bytes of the reply. rep_len: count; + ## The user id of the reply. + rpc_uid: count; + ## The group id of the reply. + rpc_gid: count; + ## The stamp of the reply. + rpc_stamp: count; + ## The machine name of the reply. + rpc_machine_name: string; + ## The auxiliary ids of the reply. + rpc_auxgids: index_vec; }; ## NFS file attributes. Field names are based on RFC 1813. diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index a8434afb74..c4ab307364 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -1,6 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. #include +#include #include "bro-config.h" @@ -288,6 +289,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s // These are the first parameters for each nfs_* event ... val_list *vl = new val_list; vl->append(analyzer->BuildConnVal()); + VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); + for (size_t i = 0; i < c->AuxGIDs().size(); ++i) { + auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT)); + } RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t); info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status)); @@ -298,6 +303,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s info->Assign(5, new Val(rep_start_time, TYPE_TIME)); info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL)); info->Assign(7, new Val(reply_len, TYPE_COUNT)); + info->Assign(8, new Val(c->Uid(), TYPE_COUNT)); + info->Assign(9, new Val(c->Gid(), TYPE_COUNT)); + info->Assign(10, new Val(c->Stamp(), TYPE_COUNT)); + info->Assign(11, new StringVal(c->MachineName())); + info->Assign(12, auxgids); vl->append(info); return vl; diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index aff6bfefc0..8f1952587e 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar prog = extract_XDR_uint32(buf, n); vers = extract_XDR_uint32(buf, n); proc = extract_XDR_uint32(buf, n); - cred_flavor = skip_XDR_opaque_auth(buf, n); + cred_flavor = extract_XDR_uint32(buf, n); + int cred_opaque_n, machinename_n; + const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n); + stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n); + const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n); + machinename = std::string(reinterpret_cast(tmp), machinename_n); + uid = extract_XDR_uint32(cred_opaque, cred_opaque_n); + gid = extract_XDR_uint32(cred_opaque, cred_opaque_n); + size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n); + for (u_int i=0 ; i& AuxGIDs() const { return auxgids; } double StartTime() const { return start_time; } void SetStartTime(double t) { start_time = t; } @@ -78,8 +83,12 @@ public: protected: uint32 xid, rpc_version, prog, vers, proc; - uint32 cred_flavor, verf_flavor; + uint32 cred_flavor, stamp; + uint32 uid, gid; + std::vector auxgids; + uint32 verf_flavor; u_char* call_buf; // copy of original call buffer + std::string machinename; double start_time; double last_time; int rpc_len; // size of the full RPC call, incl. xid and msg_type From 1ee9610b772087aaea17b1ea5bc825005079395c Mon Sep 17 00:00:00 2001 From: Roberto Del Valle Rodriguez Date: Tue, 28 Feb 2017 16:49:35 -0500 Subject: [PATCH 213/288] Added rename event to rpc/nfs protocol analyzer. This event identifies and reports information about nfs/rpc calls and replies of the type rename. --- scripts/base/init-bare.bro | 20 +++++++++++++++++ src/analyzer/protocol/rpc/NFS.cc | 33 ++++++++++++++++++++++++++++ src/analyzer/protocol/rpc/NFS.h | 2 ++ src/analyzer/protocol/rpc/events.bif | 28 +++++++++++++++++++++++ src/types.bif | 4 +++- 5 files changed, 86 insertions(+), 1 deletion(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 42f75f250c..12d1914c90 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2182,6 +2182,16 @@ export { fname: string; ##< The name of the file we are interested in. }; + ## NFS *rename* arguments. + ## + ## .. bro:see:: nfs_proc_rename + type renameopargs_t : record { + src_dirfh : string; + src_fname : string; + dst_dirfh : string; + dst_fname : string; + }; + ## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the ## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr* ## may be set. @@ -2274,6 +2284,16 @@ export { dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir. }; + ## NFS reply for *rename*. Corresponds to *wcc_data* in the spec. + ## + ## .. bro:see:: nfs_rename + type renameobj_reply_t: record { + src_dir_pre_attr: wcc_attr_t; + src_dir_post_attr: fattr_t; + dst_dir_pre_attr: wcc_attr_t; + dst_dir_post_attr: fattr_t; + }; + ## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*. ## ## .. bro:see:: nfs_proc_readdir diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index c4ab307364..e4c21f6cfb 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -69,6 +69,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) callarg = nfs3_diropargs(buf, n); break; + case BifEnum::NFS3::PROC_RENAME: + callarg = nfs3_renameopargs(buf, n); + break; + case BifEnum::NFS3::PROC_READDIR: callarg = nfs3_readdirargs(false, buf, n); break; @@ -197,6 +201,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, event = nfs_proc_rmdir; break; + case BifEnum::NFS3::PROC_RENAME: + reply = nfs3_renameobj_reply(buf, n); + event = nfs_proc_rename; + break; + case BifEnum::NFS3::PROC_READDIR: reply = nfs3_readdir_reply(false, buf, n, nfs_status); event = nfs_proc_readdir; @@ -384,6 +393,17 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n) return diropargs; } +RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n) + { + RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t); + + renameopargs->Assign(0, nfs3_fh(buf, n)); + renameopargs->Assign(1, nfs3_filename(buf, n)); + renameopargs->Assign(2, nfs3_fh(buf, n)); + renameopargs->Assign(3, nfs3_filename(buf, n)); + + return renameopargs; + } RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n) { @@ -568,6 +588,19 @@ RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n) return rep; } +RecordVal* NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n) + { + RecordVal *rep = new RecordVal(BifType::Record::NFS3::renameobj_reply_t); + + // wcc_data + rep->Assign(0, nfs3_pre_op_attr(buf, n)); + rep->Assign(1, nfs3_post_op_attr(buf, n)); + rep->Assign(2, nfs3_pre_op_attr(buf, n)); + rep->Assign(3, nfs3_post_op_attr(buf, n)); + + return rep; + } + RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n) { RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t); diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h index ba6cab38e2..85fb10ab49 100644 --- a/src/analyzer/protocol/rpc/NFS.h +++ b/src/analyzer/protocol/rpc/NFS.h @@ -37,6 +37,7 @@ protected: EnumVal* nfs3_ftype(const u_char*& buf, int& n); RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n); RecordVal* nfs3_diropargs(const u_char*&buf, int &n); + RecordVal* nfs3_renameopargs(const u_char*&buf, int &n); StringVal* nfs3_filename(const u_char*& buf, int& n); StringVal* nfs3_nfspath(const u_char*& buf, int& n) { @@ -54,6 +55,7 @@ protected: RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status); RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n); + RecordVal* nfs3_renameobj_reply(const u_char*& buf, int& n); StringVal* nfs3_post_op_fh(const u_char*& buf, int& n); RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n); RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status); diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index fc42aac6a6..881faface1 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -274,6 +274,34 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## register a port for it or add a DPD payload signature. event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); +## Generated for NFSv3 request/reply dialogues of type *rename*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write +## nfs_reply_status rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%); + ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is ## generated once we have either seen both the request and its corresponding ## reply, or an unanswered request has timed out. diff --git a/src/types.bif b/src/types.bif index 500c8c9851..20995ef105 100644 --- a/src/types.bif +++ b/src/types.bif @@ -30,7 +30,7 @@ enum proc_t %{ # NFSv3 procedures PROC_MKNOD = 11, # not implemented PROC_REMOVE = 12, # done PROC_RMDIR = 13, # done - PROC_RENAME = 14, # not implemented + PROC_RENAME = 14, # done PROC_LINK = 15, # not implemented PROC_READDIR = 16, # done PROC_READDIRPLUS = 17, # done @@ -101,6 +101,7 @@ enum createmode_t %{ type info_t: record; type fattr_t: record; type diropargs_t: record; +type renameopargs_t: record; type lookup_reply_t: record; type readargs_t: record; type read_reply_t: record; @@ -110,6 +111,7 @@ type wcc_attr_t: record; type write_reply_t: record; type newobj_reply_t: record; type delobj_reply_t: record; +type renameobj_reply_t: record; type readdirargs_t: record; type direntry_t: record; type direntry_vec_t: vector; From 0cd0ffed13746e80ced2fe01085a096368f08b22 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 5 Apr 2017 08:58:08 -0700 Subject: [PATCH 214/288] SSL: update dpd signature for TLS1.3 The dpd signature missed a few cases that are used for TLS 1.3, especially when draft versions (which are all that we are seeing at the moment) are being negotiated. This fix mostly allows draft versions in the server hello (identified by 7F[version]; since we do not know how many drafts there will be, we are currently allowing a rather safe upper limit. --- scripts/base/protocols/ssl/dpd.sig | 4 ++-- .../scripts.base.protocols.ssl.dpd/.stdout | 3 +++ .../Traces/tls/tls-13draft19-early-data.pcap | Bin 0 -> 15980 bytes .../btest/scripts/base/protocols/ssl/dpd.test | 1 + 4 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Traces/tls/tls-13draft19-early-data.pcap diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig index 2ebe1cc634..1b8cad2f76 100644 --- a/scripts/base/protocols/ssl/dpd.sig +++ b/scripts/base/protocols/ssl/dpd.sig @@ -1,7 +1,7 @@ signature dpd_ssl_server { ip-proto == tcp # Server hello. - payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/ + payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/ requires-reverse-signature dpd_ssl_client enable "ssl" tcp-state responder @@ -10,7 +10,7 @@ signature dpd_ssl_server { signature dpd_ssl_client { ip-proto == tcp # Client hello. - payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/ + payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/ tcp-state originator } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout index 7b2d255900..bbdfb4a3a6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout @@ -8,3 +8,6 @@ Start test run Client hello, 10.0.0.80, 68.233.76.12, 771 Start test run Client hello, 192.168.6.217, 67.207.128.99, 771 +Start test run +Client hello, 192.168.6.240, 139.162.123.134, 771 +Client hello, 192.168.6.240, 139.162.123.134, 771 diff --git a/testing/btest/Traces/tls/tls-13draft19-early-data.pcap b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap new file mode 100644 index 0000000000000000000000000000000000000000..042ca6aaf6d58481aa84ac84e2a8f71332c3a5bf GIT binary patch literal 15980 zcmch-Wl)_<(5}7E;O_1a+}$O(1a}Ya?(QCfyK5j2LXhCDf#484KyY_GYh}OL=S{Nr zK7YRYpr#7ydFtwWx_kA^^qQ&e_xa!eNWlO7fdqg7|9OM9skyn02v7k24H^Kdi0`pM z9xR=GLR~Nb2>?J?2tpVj3{8LDQ3ib+UEm$|w89?z1nH0gdbtMt>1pl(004)C`Tzz2 z0R;vI14qC-1`m1$2@U`x0qKd~_b(ei==?wf07huvI}jOU0mxpdXE7rH zTFA^pb0m2k`4=4$90m>*v3VCn2U>atA};{RqChHW{GpruTp6U>z2-OFnLs*W0165w zNgDw0KYFV{WDt>%6%4=$bPH(wP6VTAAqEkvkN%N}gMt}Q_&2czM8tvs0~`TKdk_#D z=ZbTl!TxF+3?;=V7b;j-1VWiY}r$>82R1rhR7 z7Oebyq3MWBh=7eS$cxl95P!$zkBGA`fq^2P5B6Kc37;Sx;{#9tdyE}_c@Y)y69F*V zH6Ws23j|;n3h-n6PJ~)q0tXQ@HUEv+S@JiL5JUvUMHw8J@BZi>;K70PO%o^At4WSA zV3fYAC$n~AunroL=SB-*LzB_y;J~TV{55rkkTfRZao0MX&1I(pQ|c zG0xZ$uoRO9uXjA?LH~xHD)ee^J(YBv#C0y!bcZXu6IxPm|?H!2IpQ|wPA8wQ&)OmmHyU~)MX7fhcbDXv5=VKwP ziO!y+Xt0wrYrzm#fwd&dN3*e5e3-%;=?W$=hx?fBI(k|WkE8_WFM9hN!mj#?Sh+t| zB1`f-b-5DSW^fm^@cg%JLU9y?~s0jWl1KK^@ydBB+CGqK6>pfI+` ziz^L9*u1d%hgMB5w#`<9apG6H``>eUtR|u?^6VZ?jc*CEoo}R}KUl0VHEC?e_|qG$ zGNGv=ZMoA23v8}z=SC+*eov2haDP3d0`bJ4_MH~7kjawu&V*WcwbXXMnks9cr9lc1 zN1;(5s9B=4L)XlrSu*`eUJEYHmbx(=k`X~B^IC13m%^Vytkl)a$)=H$F56XNV4RPR z;63;kfOkSFZG*DyW9$|OyD9EX*+~hOY=$e}psmmIhqlv}9ivNxq=Cit^=+?ozN-Y` zLDfQqrlUn+2IuzA#+C!3d8Kup33G*8_?*Ym=Y_zJXGjd+*{p`ZU@>E`U^F#PQag>@Pa*kG!0Y zlW*u!(9K)RQap>(_Oii9Wz@-?B-ng++1*I|k~Fx(vuRXI#>cCf^FH%8}ad?o$kRGHU4^Q#%AOs!e+nOHW)#guQK&9}p$iyY@2-bRz>3!$ofR z7CFP=-L%i!Qv-R0I>fbjm9nATaL2J8zCe!Y(1tR1+Tf7Y@3P9(XwCV#_Df+iOvY!Q zGD$jQG)J68Ini}}zTL{;WuIdWki5?s-winOjFI%cUHJyZf7&(&e#Ssx_-qEHu`~p2 z$0%cyma+D7lc>f!$RIBEmyNQX9xm;Q15*VKT`rl@s&GzGKkDg26);BZ^bMHGo##K$s z^xbbM+hxrIxJ1@upUy)ri(1E(jOV0gx8D;Ea(!wyLWf?0xhgt(S7FVW2_GrYyKU5W zh^S#rCrB>k57?MC=*0uK_nf7Uivm^t!2hoN5I-uv#;=v%y7%W=G9&nFTbIa#nq};CG;~r#Ybr&_&XBcsL)2Bu<4NXS&1cGQ znGZ(D^t=U)XTP8(6~{Il_q=o!xzplOHtatYO7u2Xd;Ne=-CI)Ksh+nElM`6ZkgoY^ z!v7ZUGELGXIX-;ehMa{EYy^3MEi680B%h7go!Q8qz0$55;?<~VN7-V-1y}om>_uI6 z|70{Gr+to~AADt2`=#T-B?Wh7t*)RX*-B0Zq8HqDo{SdjGJ%G8-opV)FO6Swtvp#_ ztUqNctb9Y^_GjP6yxJ(?!{K(QVVr*Fa0zLJf@Gg{Mf-GEy(VH-8TadmuD9OZxfa6; zW5*#*oYMg4WSx}T&!4m!609nGP-{Y(|b79AD^=PTJE*uX3C5^8XA)7l2pchgg&-^V!Vpe8;G%tUTYG(bDvxw7{&j_X1^1qV!~>zh5A?a5?_gDI z17_R=YA{=^72jW*<=jP&FXwD~1TNJ{L!=L_pI&o7(MGp8(rS!6fxqA$BVlzg#@ z6SrY_HSWTVW*Aa>J$qRHJYanozQRXk9x?#n@!HeT;VAovK=abjm@mRAUI*+%eBHXj z8YdKjAU>dKU1USXrH{!`GJ~A-6RyI!2M%uF$x07vsDriMSdYUtHGPlCw!l!V zeYf~!S5;?Sv+B?lMYvb|)u5p>EhW7jnc+lxidW;p38TdfHkRZvIL?cGuLImdCU;1P=`Ph@#rSsRhRW7+=aib05ZuA7B)m3puQQT{ZN1 z0X2nJZ*zUGrk&ae@vMFn1-$ve!VH(?{L>Br(LVOa)LUesL`CfYM?5t6SvCb^gE324 zJtD3bLI^O>xjRmJgIDucqgqmjOMBu(D-L~tUBcH>#2ed|3Cw$Vb%k|T?~Zz#VE1l( z++f-oF)kg1o6#>Y^d6uX zF3Le1@mLy4&&%$RW%VF6td4dw%U_AVB&wEL7AXgtLEv*?Y);Cb-<-dr6w^Dz)lJK} zIiB9mK(>O6E0%O5TapJH!YkhqCr4Qj!wxR8^$B?bw})W3I-ekyc@A~-6_owH-VubQ zXw|v&Aka;RmiWjc7nr7rV2;>W4`s-Y;-F3dNY5`G`|y=vTyoQ{9X=B%xoARpBqKpKz)MMpunqti>CTzMb@z%;*P1u_<}5y15z1V zzAh_Xrb5*aubLrXV#%BOEXVId#@Ut!a{jt;GYOhc2NTSQcPaDi=&em?Z&Dp}-T2%{ zR{5ax({nyD#?Tj?&mc3oGQ%;FxoCPR9noL18S`oTE}eK?fw}Qr=bWVF2!EX%`-sXA z15x=jWoUt{WD@xK5P55NU)AdSUgd0D-%2+!35o8v2mupH1V?BM?6n|6WKiYr09O8g zKi%DTgU(|1LcgBH9OLU*9Bl(okUyc{{yd9~s{v0Egdk#TD+B;^Yz2+qPZ5BaB}mX( zl2`KUTHwfuB9}Y z2;jn7Oui+VI5)0DV6;4QLeC0iXzv%Jwkk6k8o&yBU0lD%LoZoe^llVRQzP!0G2CDY zDF>u<8mRQ&=PtwnnmhgHf0%nOaPE!h#edEn=L-ZN1~_lf`2A!H@Ow}K5$!Dgk%)r= zaHap7s0H%okJ(~us!qUn%gp3Fs&bWYp<`N6r38E<<4$ulH34VHKRg}HWiS*n zHW3r$Ev!A*$8-p;U#{~>+3F=2&h<}R< zXpNr_0LEoU_3yYS5-^WzfwawkxZv`&Y|#Q6x`KZQD5>f}Eqn2yhf&2^{W$)C7tK$! z?o1F$a{6}HrC;jYb%SRBqgBKO3Kr?^Vraltkv+uj3rAB{w?>l$*kaeR#36*0u6(I9 zJt=uPSxtlBjLn4ZE8R+*Ij^nn7w8`o&9X7f3G7`m^Lcim1C-d-%~V3|QE2&dme-h- zpY$QGl3Bp|eG1jxmfao3O4Jl&;UtIKNR3B#SNB|(%ySsgqaHpHQ)sc!t706pnN)xB z>pco(`}jh+kg^W5$aZ9>N;9;wz<`k2P9WkoQwHR(VxYhNJv*YNL9tw8_$`+6^(;<> z!0fm|HTgT1_rO>xCIg8D!~lRcFfl;mkL-}^MgbAa7XFb4%nr5EpTtQ?5D^psbc%q| z2EFa&WaTF6wVo8NSXEqSkfj}C4Xp-d=kENX!bG_f@Re|6_|lNta=1l zdJVM133L!>{NW{GpMqXi0yf_GdI10sMQ|4CZx8&TmwoBk552$j!<;_- z(2EM#BSiUCFNmlOB>uZD=5HWfeDwb>T^H@o{!16k4_&vv`SEXE1eJg5N(1>3q)WEr z*?;H~s{`qx(fu!7X+R2VP~{_Cc1F{kM1NBw9o&J#;SVSVGYp2D5yKRa`eBulO0L~%&S|V?j(rZ2PFS{rhkbB z>CSNfP4_5}UJL3@+T;Dq^tCsrh#g8G;+X*);5kq?X#Adk;P|s}AmSU;evX)7DuOar~bB!)UzW80H3Zq?xF>P+b3GApB z!C+-jhpW`4G_QUk7z-u;>pH*Hqk@2|+T@uII7{u*$R};WN(_OafM=wp&~1GQNr@_B zu5pP5OoPW#XXCefAE{IgY&ifd%!@J<06DbqL>_mESEj9(!|afj4jjqrnnOCW9==sl zTGf>YUUfsV0(r0!%5brY8=%C|enR*=75^+bjKJ*#6STtT|Mk%ZC3!6oQ}+i@L)Pc- z64?<#z`XVbM9c;f1Ax8+jo(ud;6yPAO2rqazougMhabreOhtkJX~+^VuL}W_I|Nj8 zdC1QFd#bOSv?Sjk`!m=0TaR84si7lS19!_)rz7-R2#?x)z3x)(TRpwZuSi2=3G4i%VrKqzRk_&Q@W3gg5ghw}t6hE!FIW)VG2E+VQvcg@qQ zpyv{fR$7IR8hvmqLZKo&*3T%I=ZcEixd|5!)$2wTHDKK}h--E0^^>lOIjA^Um$Tf9 z+p=&2vrCHIW)(h8*Y`f^%)zSsOy86fim`p#`+nu_kuoyr5JvQ}}qLfI^F>ucd0CYeyxgU}U+em;w0 z9&P`ZN$5NN;&_5vRINb1K>G;{a{w*FY(72fMY^mYulXj&h1!fV)vjgK0HUkReSnyz zLkI{^T%1K@HqnHm2+k0GQ40#Y%l#rGwpN+&*3|3L^(2-9r zDv*1)WN`h6sbpVlqCzugSuJyJh~MAvG-gk}Gbc~Ru%BKybuzs6izcc+<0Ssv9-3Ns z7_JgOtNSfQ4~oudZmP52&1YXT5xr~+E(Al`<{)g{u3x&k%3pkzF8rwBOVsk^|3qF36kyb-fVVDk)NS5SsJ9ZBK`b zOPd^q;L`%~YF@Q0V7A_uQ$J-lR1RA5aDi$snCXAkUhW^YH~-h#dtUIf_GVE0L+#y4 zlEa{;A?~{2jCz}*Bese-Lc`UA#`0Rmb@+QWrUETP5Wqd1aEX9* z7ACphH!h`7MSY4rL7U!k;u?xq|A;EPz^J+M{qA`)-3srT;GOqb@A6u;|YBv3jQ7q!@v8o6u5E6)D#;eNN zRtumJPRU$Mne9j5(S)IG4&cWwOzfs!&I&rJpxX{2X_^SFy&!w58x?o&kWxspDY_iN z*5$0nkUt#9L%$iub?m?ut?N8z)k@8|==i=@RM_#td1!oBw~)5Sbd-ua)SGNaXKCQP z770VQbEWFd0hh0D(v+KG*;wgFTDAoqIO?m!xbk^ESK^t{FlF=arFW8-!-JJToJtAFSk_34{uEv zhCyAn8VQ@WU*k*?V3!<3yOVukGN)dgJNa&#<3}X}1*eNoet`WBPCDV3nJKe3)cQ*_b`+ z#A^jUO~PO}Z@Tf87zWV6?;K2DIG95>vy;SaU`P{930^jQDKL-ln3}}nbuTr|FN8~R za-1*hn?dxP&|1;Sl;3*tK;@uF=XPW-*m%^7;`2zim82-SMd0D8tF4^gKk!>5XL>Ph zEUi-522N1rfSJ;At3#2*<2JJ^ocd6w>qM(nnaJT19Y=mh5U`8XFe825J^gk2-X*nR zo+9vT;xUR@Y1s6AYp$&MN*<&~v|GJ_LyNCoZ%OGlv_f$V+|TAtF9y+IMCL@}J_>TJ zgjOuD_$k)4YQ$2!jfIFaI=~X00rY}+})I!a!!^rS`YDirF*2}Fc(dG zoN75SACmjIQEH|l#mqu$SP(?}rs)PV6ckwSM`FeMxmDEWEI$>7Uj1Hz9f4OfNn?9T ztt+_S)4+8f!b8=C4_^zpS{_entTy<6w~Y)S<-kVqh^DvAaedeePMf znyS3rPTzec?iohGJVf|HSB6zdI`fT+5C`)3!8qCviLBFcXex4|?Zs{=M5iyiC)G;< zwI`#>CIwCE>j#oi~ljm(zxiJk;XpG3_|o9DYL-OUYT){HAsB#sZL!HAf^9Dv2j7q?>R0 z43d`EbrF*njJX>*dX+zGBEMdA&XCsxRC^VGwHJ79`7!?3NvDCkgLcxEG=J`-&kF)@ zkhfxit+l^y8?EmHchZfZT|TB9FTbx7LW9tEtd$hbo!)D#z)zkvKlcBUiP2&KZ@DhP z;FyvdS7ki$66lq#>XDL%DxspHB2=W=$r{Yu&8eOG78 z28UP-_a+)V*@FbQl~#yk{m~89=!q5cx(yibUv0af>Q6__^BMD&^y?+VfW4p4ou`eY zJ_^WzVJlApuU~PuAOeTDK+P93(GXQ_(#D6YxaEE+G6eppwb|eh-){9bGl{Jwbml3e zxtN^y;`%!lvdc5ep|M+D1qEV4Mb*x=8T3)gM#Z>crQw@yZ}n~;i)GQWFG#&Kc0!ER zg6vBgU8}Dr>ug@C`LDTsjrccf+cj#XL`hOmw1r)apDZ;q={m9KzppIs z`}V?WHb0k<h&CBfynU zx9t1pg#{lvGnSD&Ys`aIUxJz1w={}U0$!xu#}SOxV6G%tsNJs~WMpL{I!8PgbRIm`aEX#2;iwuzYQxM_YHa9{vbWiRQo(hzso5a6 z)%Mb)Q#kru%u1t6vs%lVGs)vFTrDC^_}xcI79ll&d z!~3H6amLImYvBQ#MVf>iO#l3dfKbEaHPm288l3>%N`y`D{rz3fj7O~2I^QjLL(CTJ zR77=%#A$|&Zp)_}+yoO{_&UKf?@Q+Z&G46l_iwy%n%qTip6VCm5GcNgYMTyjD!s`2L4=Btg?44lJ>SodMMmw0uJST$&5metF;)|Y|XBIQE) z5%s`DIxL>V4^W&qP8;~f*ye9KAr$RxX||4izgL1|6%N_Vz9oZ(uks+>SsQ^1L(T+v zhF8GGRuP}&A(ndH;%nVnda1uzHAAVkV->@H6s}yF%&PIZmQp#WhsH8ibnxs@y0yNr z@Hr%}EPw5i<7$9Gt7MzIqd&)9O8E5)Av}JDPHAc5lG(cxc1bl~!SrPqk#|C8z5D49 z&il--i1c>fT0dMxUtZ@8j-smkGJV_s4;k-xvT`p+tUrgXRm{5@9clqUfv(IH}}`t`*``Y z_Uc*vL+vFl4`?bAVFL^D&L=&xq1*0J^enK1j8TTTV5^K8SLsGr={%;fy-bNt=ll$o zZB4a|9rbZggfqZu8z*!BowCi$jjD$70lsAYsr<>aXAH}NDMLbjA#YWOn(-?xE1`UO z#J2KYnliDVF;REDUf`xGdb7&?Ri==#+Q^b!j*p{2!yO*`P0f{aC0&9Ng7`~$QC1(5 z)GHbOBxfJJc_CfiNvi#BrfxlA#;LuY88NMHGOP=Uc%wMS$rR$+xc z$1oI9>RQUtZxK2j59#$rnM$`^p6gCaEILXE5|fDV&D?5%Zd!OSWPz&iw&FLNC(YFy zAfGqA#E)Re3g(*17zi1%e#X*a{e+I(seTgH$sjd2veS0MG2InFv{}g<^Yu_k?=~&s zH1Eq=>-nx2oK!dD2;1_kb)c4+U=XQ&obj%SuoA2_j$~@RQZkKAQu_P!`j&Uh_+bKt zC8Z(6DxcFu6dHK7n6nmpPLy}B-V3|~XlV2994VTE;i>0<=iA!uA#%%qgS;*?N6Q?6 z=f>)EKG8CZF%GZp+JFmn9&=`If2a3k^Vtx$ACYTsvTXP$14ANysxS7l(i3BG{UVgW zo#{42dz3zJu$WhN4~|8!ciI;L;BOKswS0ull%BfNOchFX zbJ6ZYMuO3gv@57&z$srmjG8KJi(U5okt>V{C{z!>&*$ApC1Hh1d#M$XVB05|K~?c3bwW_YAtm&N zqBFJ}auV}Jb>VnzQ`ECr|EV<%$H{Tmr=#;skZ>4QKoAroS6sS

#EMdK(4TiwOMknXRs%8?-Rk>Kq0 z%)MklfBAH77gKaxHU2I6C3g@y{>xg|vy8S#xn&o;E&5y?5A=FDZRsUyw-LE12SKmQ zQ_3rqU^IAmbm`7nJ?K#Hr2)Pp-K$Or0S0O8OboBARBqDN z(VQt=Qr&FckFN!`p`jNv4~(pD2h)iFEEPsfXiLJ%X?@9_ulWxqAjmqAuaajq31LQE zS%18KTY!1qK1;iqpmEUPoGy>A&YW~1sEB9N>}YvY(n~JJ1aG$=KgC1e`n1`sy&?+(=xflP>t3v>+MRVL~P482ZTC?nX;;SyXTnS zsEnRlGkZlWk4nGfnS#bTJ#VDyr1AyZx)aRYnc$<@a6J!DB(HexF>rsxePAytOO?J5 zR2vY5DWNM4HKgA}TR!7oo{jlhH1uxY>zkq2Ck@oLXP0CQn^iuCNW$<;2BmBHuYAAq zU2X6$BoRfs1wS}@P_iDr(17-A7tug?)g#4s@#3WPRRNc>(Jno+jDBn8-tBj@)|t8t zm5}0VL#&xK{w1(>cgjc}gy-NbH8T9l%=`6k`58y6w6nz!x_SKA!V7NBUq5wu6dxon z-R;YhS-?<}Ka(GSPkwt@@}i6AN-5KFR4|bO<@zhz2|R=!Mbw7t>G1yD=F&qY6}V26 z{Znt;dhfZ@8@L;)7atDgqZQQ1XlsplUXzFJ4e{7To^(cIX;o=4Vuh`k<)+;)?bnzQ0^=j@ME0rqE2g>Rl>Nx5vnv z%o%OYdJ6G=+jB&vWLp)U5xUpxNVw2Dms95HZ=jh_cT)ONq9ces+{eiJ!T>Z>;2Y71 zxGGm8w*;OKID2e^hcsgkm7N-!0TWD9SYbE|zFy&kpR^+x)Vy-$u)W%;K* zMD(T4Fd0=+q6xQ4lXcH4rtmKco%DG$ob!#g@`55db>_w_p)TE*c=~pt?Ks}VB1=<# z)YyvNQHGv#q@*+3AR2cTvZ)p5`EqWoVuOqj3|?FC@@%E%Y4suR+7fdxJFjsKZ*f3z zVW@(uCEu^IJH6A+^DB6g7xfa)$lGv_`a#%xcuS=y&raz3ClApc*zy?Br@VNwqv!9d zJha$lUf?qY&d$@J={Qd*MNK1;QnYD?-TUSsT}KQgvN6BMVd-b8L$?r2mf!uR8oYi` zwGMxW!?iQ-9HWSS+v|md0+UE{4R~8fzq>|~Ud(!fGgQNN^g(=G~sjX}>&{ZRi&HnW*oq zTR!23=tt;-x~L{yy!_VifXjwwnqz)RK2_4$PUtV{;0(&e`~AK@bR&i&ZFsE0s06HI zp~1JBR=@Y#froX>kuD`TCRadeyuvloF_O0?Q^gqm>F9$5i~^2+ z7o%_@8heN$0}~xFvauiC?aPU#qAXL|l_I%g3z@AhMspeDAe$;TJFW0!UdV$XubX9!_g{r948U>{R2HwAz?_8<=M4s z{+KB&_Cj4PJ48MSjIoL20P1{2zCp!gGrh{rbP1erHu`$fw{M;(5;DX^S$LP8Ni{(- zacu_Z>eJW_v&Tp)OKp4|iMeUf*cnjQ%>h6qPC`)6hjNmXp9^f&MypzTS2uK?iBzK1pMw4G=Bfi5!{85A5?qg z!hfy3urfbuZwIge0_weh`Y!+Tog+A3{?UboQ_mJZa_12g8F+~M=Fw_1)E%D<%P!2! zq&5ce8>O$JP_E>=Lg4Y5g3NDgE~!h|2PUi=JnWCLQ*YkTN8h8eGm18okf}!4$_kB# zi>2mEzcCHL&Gw+gN*@)T?2A=Kw1Z71TC_73Cts}3T-cCZE#1wL^re4;`TB@58=Mu@ zux}rGpJjsXt4`CbL5Xt6H`@nZOk2eX1n43Lp%FFN3p`jh@;;w#-FK7~_sm;o_>JFe z8sIR97^DJ*m#cZvg5rYCxvAZU!|>6$FY!npp;76bJ_$VUaE^midOs|kRL%evKPL!{ z-oV*IJ0SplB%Z#36Vpq-Dxsb)Q3y86*3=Qn(Ggr%yoJjgyCpkrXt9J0;ijv3>Sgn; zj<$nOz(TpX@E+{_II)9>M2z&Zit<#aTntt#8=;)|p}4QM@MU~xAuow>s#W6j1E>#E&8CUWACrCq`h9>qR1hoV(et_%L;ghhU&w=I>g+%`1TPw7I1 zaZHKGvnQ}WE%<)XW34`}BN0#3KPotSi2#(5=)jEp_r4keHK?y`{>VlgNz# z@gKKI83jPKLVo+#S^*zL#MGk>x(`UY^A{0VEA~Or0d-^N-?(QxiJzS17FWQe(f1SF z&cXEOmJdAl{DvuT%7c{3ikQ74Kr;U}_+00e1yXgp&9^-@yl%z_Yt&M0u9Q5uodpq| zScN(;_bV<<(_q9kLS3`N5{4x!_D9>E*)6!R#LTSs9O9wI;1p@MfkAbU9&04-2Q^ia zs@>9^GcX~2Rnj~S2SFTfR-x~!NhiKNH-J9#IMk>TadmN)cmiTUw{zLo6AKL4Gw`8ZD4%803O)CBO zt>(WhWdMo78sL9x|9zza$T13nvPYrn*X%*C0A`OpD0?)ce`Ze?JOT4o{txY7R1#Ty zMr;Q7+!Rq3N?B}zaQq-kFMyVQ`uz_}?2JM`EcN_mDd2}C;5|?c*k3Jyh`B)GzuyCO nqXGH-V(Yg^+Ji0zf$pac5dd$-11Wj`NvV1RqO^Jc7v=u|4k6Oq literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test index dc514ff9d4..02f3905e48 100644 --- a/testing/btest/scripts/base/protocols/ssl/dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dpd.test @@ -2,6 +2,7 @@ # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT +# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT # @TEST-EXEC: btest-diff .stdout @load base/frameworks/dpd From 6c9449c780518e45bdc05387288f7be81cafed79 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 5 Apr 2017 11:54:53 -0700 Subject: [PATCH 215/288] Add support for two TLS 1.3 extensions. New events: event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) --- scripts/base/protocols/ssl/consts.bro | 4 ++ src/analyzer/protocol/ssl/events.bif | 44 +++++++++++++ src/analyzer/protocol/ssl/ssl-defs.pac | 4 ++ .../protocol/ssl/tls-handshake-analyzer.pac | 40 +++++++++++ .../protocol/ssl/tls-handshake-protocol.pac | 12 ++++ .../.stdout | 66 +++++++++++++++++++ .../protocols/ssl/tls-extension-events.test | 15 +++++ 7 files changed, 185 insertions(+) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 2f646de516..9d9460906a 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -163,6 +163,10 @@ export { [42] = "early_data", # new for 1.3, state of draft-16 [43] = "supported_versions", # new for 1.3, state of draft-16 [44] = "cookie", # new for 1.3, state of draft-16 + [45] = "psk_key_exchange_modes", # new for 1.3, state of draft-18 + [46] = "TicketEarlyDataInfo", # new for 1.3, state of draft-16 + [47] = "certificate_authorities", # new for 1.3, state of draft-18 + [48] = "oid_filters", # new for 1.3, state of draft-18 [13172] = "next_protocol_negotiation", [13175] = "origin_bound_certificates", [13180] = "encrypted_client_certificates", diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 2855dd7fe9..8142f67c7d 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -87,6 +87,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server ## ssl_session_ticket_handshake ssl_extension_ec_point_formats ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is @@ -104,6 +105,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm ## ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%); ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension @@ -122,6 +124,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm ## ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%); ## Generated for an Signature Algorithms extension. This TLS extension @@ -139,6 +142,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%); ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 @@ -155,6 +159,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%); ## Generated if a named curve is chosen by the server for an SSL/TLS connection. @@ -169,6 +174,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_server_curve%(c: connection, curve: count%); ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains @@ -204,6 +210,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%); ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is @@ -223,8 +230,45 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); +## Generated for an TLS Supported Versions extension. This TLS extension +## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. +## It contains the TLS versions that it supports. This informaion can be used by +## the server to choose the best TLS version o use. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## versions: List of supported TLS versions. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_application_layer_protocol_negotiation +## ssl_extension_key_share ssl_extension_server_name +## ssl_extension_psk_key_exchange_modes +event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%); + +## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined +## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the +## list of Pre-Shared Key Exchange Modes that it supports. +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## versions: List of supported Pre-Shared Key Exchange Modes. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_application_layer_protocol_negotiation +## ssl_extension_key_share ssl_extension_server_name +## ssl_extension_supported_versions +event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%); + ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that ## as it can. This event signals the time when an SSL/TLS has finished the diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index 405ec34fbf..26eb29bfc5 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -150,6 +150,10 @@ enum SSLExtensions { EXT_EARLY_DATA = 42, EXT_SUPPORTED_VERSIONS = 43, EXT_COOKIE = 44, + EXT_PSK_KEY_EXCHANGE_MODES = 45, + EXT_TICKET_EARLY_DATA_INFO = 46, + EXT_CERTIFICATE_AUTHORITIES = 47, + EXT_OID_FILTERS = 48, EXT_NEXT_PROTOCOL_NEGOTIATION = 13172, EXT_ORIGIN_BOUND_CERTIFICATES = 13175, EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180, diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index a4f4f94c6f..c85f3205ef 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -189,6 +189,38 @@ refine connection Handshake_Conn += { return true; %} + function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool + %{ + VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); + + if ( versions_list ) + { + for ( int i = 0; i < versions_list->size(); ++i ) + versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT)); + } + + BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, versions); + + return true; + %} + + function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool + %{ + VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType()); + + if ( mode_list ) + { + for ( int i = 0; i < mode_list->size(); ++i ) + modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT)); + } + + BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, modes); + + return true; + %} + function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool %{ vector* certs = cl; @@ -329,6 +361,14 @@ refine typeattr DhServerKeyExchange += &let { proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys); }; +refine typeattr SupportedVersions += &let { + proc : bool = $context.connection.proc_supported_versions(rec, versions); +}; + +refine typeattr PSKKeyExchangeModes += &let { + proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes); +}; + refine typeattr Handshake += &let { proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length); }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index da01a27f1d..0f6287ea4a 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -486,10 +486,22 @@ type SSLExtension(rec: HandshakeRecord) = record { EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0); EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0); EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0); + EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0); + EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; } &length=data_len+4 &exportsourcedata; +type SupportedVersions(rec: HandshakeRecord) = record { + length: uint8; + versions: uint16[] &until($input.length() == 0); +} &length=length+1; + +type PSKKeyExchangeModes(rec: HandshakeRecord) = record { + length: uint8; + modes: uint8[] &until($input.length() == 0); +} &length=length+1; + type ServerNameHostName() = record { length: uint16; host_name: bytestring &length=length; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout index c9434d9ddd..d5ab2cf618 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout @@ -20,3 +20,69 @@ uncompressed ansiX962_compressed_prime ansiX962_compressed_char2 ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1] +Point formats, 192.168.6.240, 139.162.123.134, T +uncompressed +ansiX962_compressed_prime +ansiX962_compressed_char2 +Curves, 192.168.6.240, 139.162.123.134 +x25519 +secp256r1 +secp521r1 +secp384r1 +signature_algorithm, 192.168.6.240, 139.162.123.134 +sha256, ecdsa +sha384, ecdsa +sha512, ecdsa +unknown-8, unknown-4 +unknown-8, unknown-5 +unknown-8, unknown-6 +sha256, rsa +sha384, rsa +sha512, rsa +sha1, ecdsa +sha1, rsa +sha1, dsa +sha256, dsa +sha384, dsa +sha512, dsa +supported_versions(, 192.168.6.240, 139.162.123.134 +TLSv13-draft19 +TLSv12 +TLSv11 +TLSv10 +psk_key_exchange_modes, 192.168.6.240, 139.162.123.134 +1 +0 +Point formats, 192.168.6.240, 139.162.123.134, T +uncompressed +ansiX962_compressed_prime +ansiX962_compressed_char2 +Curves, 192.168.6.240, 139.162.123.134 +x25519 +secp256r1 +secp521r1 +secp384r1 +signature_algorithm, 192.168.6.240, 139.162.123.134 +sha256, ecdsa +sha384, ecdsa +sha512, ecdsa +unknown-8, unknown-4 +unknown-8, unknown-5 +unknown-8, unknown-6 +sha256, rsa +sha384, rsa +sha512, rsa +sha1, ecdsa +sha1, rsa +sha1, dsa +sha256, dsa +sha384, dsa +sha512, dsa +supported_versions(, 192.168.6.240, 139.162.123.134 +TLSv13-draft19 +TLSv12 +TLSv11 +TLSv10 +psk_key_exchange_modes, 192.168.6.240, 139.162.123.134 +1 +0 diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test index 261a698833..b8f3d42242 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test +++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test @@ -1,4 +1,5 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT +# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT # @TEST-EXEC: btest-diff .stdout event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec) @@ -33,3 +34,17 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_ print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm]; } } + +event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) + { + print "supported_versions(", c$id$orig_h, c$id$resp_h; + for ( i in versions ) + print SSL::version_strings[versions[i]]; + } + +event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) + { + print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h; + for ( i in modes ) + print modes[i]; + } From fcbf54f697f29b359a191cd6d8612bd013485028 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 7 Apr 2017 12:24:29 -0500 Subject: [PATCH 216/288] Fix the test group name in some broker test files Some broker leak tests were being ignored because the test group name was incorrect. --- testing/btest/core/leaks/broker/clone_store.bro | 2 +- testing/btest/core/leaks/broker/remote_event.test | 2 +- testing/btest/core/leaks/broker/remote_log.test | 2 +- testing/btest/core/leaks/broker/remote_print.test | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro index c3b11a7a0d..4996d05bd2 100644 --- a/testing/btest/core/leaks/broker/clone_store.bro +++ b/testing/btest/core/leaks/broker/clone_store.bro @@ -1,7 +1,7 @@ # @TEST-SERIALIZE: brokercomm # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks -# @TEST-GROUP: leak +# @TEST-GROUP: leaks # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out" # @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out" diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test index 3f63fcba76..a7f174f7fd 100644 --- a/testing/btest/core/leaks/broker/remote_event.test +++ b/testing/btest/core/leaks/broker/remote_event.test @@ -1,7 +1,7 @@ # @TEST-SERIALIZE: brokercomm # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks -# @TEST-GROUP: leak +# @TEST-GROUP: leaks # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out" # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out" diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test index baeab906f1..0093e9db2e 100644 --- a/testing/btest/core/leaks/broker/remote_log.test +++ b/testing/btest/core/leaks/broker/remote_log.test @@ -1,7 +1,7 @@ # @TEST-SERIALIZE: brokercomm # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks -# @TEST-GROUP: leak +# @TEST-GROUP: leaks # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out" # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out" diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test index 26e6317034..9ecc913f34 100644 --- a/testing/btest/core/leaks/broker/remote_print.test +++ b/testing/btest/core/leaks/broker/remote_print.test @@ -1,7 +1,7 @@ # @TEST-SERIALIZE: brokercomm # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks -# @TEST-GROUP: leak +# @TEST-GROUP: leaks # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out" # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out" From bdc693e72a53345a7089401ffc3eb68b31887196 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 7 Apr 2017 10:26:34 -0700 Subject: [PATCH 217/288] NetControl: small rule_error changes * add rule_error test for acld plugin * add namespace for rule_error calls in OpenFlow --- .../netcontrol/plugins/openflow.bro | 4 +-- .../send.netcontrol.log | 32 +++++++++---------- .../send.send.out | 2 +- .../base/frameworks/netcontrol/acld.bro | 10 +++++- 4 files changed, 28 insertions(+), 20 deletions(-) diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro index 07be594b57..c528a1ba3e 100644 --- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro +++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro @@ -318,7 +318,7 @@ function openflow_add_rule(p: PluginState, r: Rule) : bool ++flow_mod$cookie; } else - event rule_error(r, p, "Error while executing OpenFlow::flow_mod"); + event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod"); } return T; @@ -338,7 +338,7 @@ function openflow_remove_rule(p: PluginState, r: Rule, reason: string) : bool of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r); else { - event rule_error(r, p, "Error while executing OpenFlow::flow_mod"); + event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod"); return F; } diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log index 70c1a28ee2..6170cb6ce0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log @@ -3,23 +3,23 @@ #empty_field (empty) #unset_field - #path netcontrol -#open 2016-03-24-22-04-41 +#open 2017-04-07-17-26-05 #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin #types time string enum string enum string enum string string string string int interval string string 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Acld-bro/event/netcontroltest 0.000000 - NetControl::MESSAGE - - - - - - - waiting for plugins to initialize - - - - -1458857080.863419 - NetControl::MESSAGE - - - - - - - activation finished - - - Acld-bro/event/netcontroltest -1458857080.863419 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - -1458857080.887618 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - - 0 36000.000000 here Acld-bro/event/netcontroltest -1458857080.887618 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - - 0 36000.000000 there Acld-bro/event/netcontroltest -1458857080.887618 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 36000.000000 - Acld-bro/event/netcontroltest -1458857080.888169 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - blockhosthost 0 36000.000000 here Acld-bro/event/netcontroltest -1458857080.888169 2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - - 0 36000.000000 here Acld-bro/event/netcontroltest -1458857080.888169 3 NetControl::RULE ADD NetControl::EXISTS NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - droptcpport 0 36000.000000 there Acld-bro/event/netcontroltest -1458857080.888169 3 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - - 0 36000.000000 there Acld-bro/event/netcontroltest -1458857080.888169 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - drop 0 36000.000000 - Acld-bro/event/netcontroltest -1458857080.888169 4 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 36000.000000 - Acld-bro/event/netcontroltest -1458857080.888169 2 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - restorehosthost 0 36000.000000 here Acld-bro/event/netcontroltest -1458857080.888169 3 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - restoretcpport 0 36000.000000 there Acld-bro/event/netcontroltest -1458857080.888169 4 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - restore 0 36000.000000 - Acld-bro/event/netcontroltest -#close 2016-03-24-22-04-41 +1491585965.002956 - NetControl::MESSAGE - - - - - - - activation finished - - - Acld-bro/event/netcontroltest +1491585965.002956 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - +1491585965.027155 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - - 0 36000.000000 here Acld-bro/event/netcontroltest +1491585965.027155 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - - 0 36000.000000 there Acld-bro/event/netcontroltest +1491585965.027155 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 36000.000000 - Acld-bro/event/netcontroltest +1491585965.027706 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - blockhosthost 0 36000.000000 here Acld-bro/event/netcontroltest +1491585965.027706 2 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - - 0 36000.000000 here Acld-bro/event/netcontroltest +1491585965.027706 3 NetControl::RULE ADD NetControl::EXISTS NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - droptcpport 0 36000.000000 there Acld-bro/event/netcontroltest +1491585965.027706 3 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - - 0 36000.000000 there Acld-bro/event/netcontroltest +1491585965.027706 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - drop 0 36000.000000 - Acld-bro/event/netcontroltest +1491585965.027706 4 NetControl::RULE REMOVE NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - - 0 36000.000000 - Acld-bro/event/netcontroltest +1491585965.027706 2 NetControl::ERROR - - NetControl::DROP NetControl::FORWARD NetControl::FLOW 192.168.18.50/32/*->74.125.239.97/32/* - restorehosthost 0 36000.000000 here Acld-bro/event/netcontroltest +1491585965.027706 3 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->*/443 - restoretcpport 0 36000.000000 there Acld-bro/event/netcontroltest +1491585965.027706 4 NetControl::RULE REMOVE NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.50/32 - restore 0 36000.000000 - Acld-bro/event/netcontroltest +#close 2017-04-07-17-26-05 diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out index 0d0ce0fccd..a0a9354726 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out @@ -2,6 +2,6 @@ Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp rule added, [ty=NetControl::FLOW, conn=, flow=[src_h=192.168.18.50/32, src_p=, dst_h=74.125.239.97/32, dst_p=, src_m=, dst_m=], ip=, mac=], NetControl::DROP rule exists, [ty=NetControl::FLOW, conn=, flow=[src_h=, src_p=, dst_h=, dst_p=443/tcp, src_m=, dst_m=], ip=, mac=], NetControl::DROP rule added, [ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.18.50/32, mac=], NetControl::DROP -rule removed, [ty=NetControl::FLOW, conn=, flow=[src_h=192.168.18.50/32, src_p=, dst_h=74.125.239.97/32, dst_p=, src_m=, dst_m=], ip=, mac=], NetControl::DROP +rule error, [ty=NetControl::FLOW, conn=, flow=[src_h=192.168.18.50/32, src_p=, dst_h=74.125.239.97/32, dst_p=, src_m=, dst_m=], ip=, mac=], NetControl::DROP rule removed, [ty=NetControl::FLOW, conn=, flow=[src_h=, src_p=, dst_h=, dst_p=443/tcp, src_m=, dst_m=], ip=, mac=], NetControl::DROP rule removed, [ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.18.50/32, mac=], NetControl::DROP diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro index 364624e90e..e13b1d340e 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro @@ -79,6 +79,11 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, print "rule removed", r$entity, r$ty; } +event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, msg: string) + { + print "rule error", r$entity, r$ty; + } + @TEST-END-FILE @TEST-START-FILE recv.bro @@ -115,7 +120,10 @@ event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetContro { print "remove_rule", id, r$entity, r$ty, ar; - Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command)); + if ( r$cid != 2 ) + Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command)); + else + Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_error, id, r, ar$command)); if ( r$cid == 4 ) terminate(); From 7826cbdfb684c8f2c03d5d1cf197be5aec7112c3 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 8 Apr 2017 09:57:45 -0700 Subject: [PATCH 218/288] Fixing couple issues reported by Coverity. --- src/analyzer/protocol/smb/smb-time.pac | 1 + src/input/readers/ascii/Ascii.cc | 2 ++ 2 files changed, 3 insertions(+) diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac index 0ad97d20a3..52654c7a2b 100644 --- a/src/analyzer/protocol/smb/smb-time.pac +++ b/src/analyzer/protocol/smb/smb-time.pac @@ -30,6 +30,7 @@ function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val lTime.tm_mday = ${d.day}; lTime.tm_mon = ${d.month}; lTime.tm_year = 1980 + ${d.year}; + lTime.tm_isdst = -1; double lResult = mktime(&lTime); return new Val(lResult + tz, TYPE_TIME); %} diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 3440d9565d..d9120b91ae 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -50,6 +50,8 @@ Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend) { mtime = 0; suppress_warnings = false; + fail_on_file_problem = false; + fail_on_invalid_lines = false; } Ascii::~Ascii() From a7b1161c124084d79ed87f7168ee332c835f8a3a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 10 Apr 2017 11:37:43 -0700 Subject: [PATCH 219/288] Threading Types: add a bit of documentation to subnet type. This explains how the length field is currently handled when exchanging data in both directions. --- src/threading/SerialTypes.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/threading/SerialTypes.h b/src/threading/SerialTypes.h index e056f6c170..af3f92d416 100644 --- a/src/threading/SerialTypes.h +++ b/src/threading/SerialTypes.h @@ -98,7 +98,7 @@ struct Value { typedef set_t vec_t; struct port_t { bro_uint_t port; TransportProto proto; }; - struct addr_t { + struct addr_t { IPFamily family; union { struct in_addr in4; @@ -106,6 +106,13 @@ struct Value { } in; }; + // A small note for handling subnet values: Subnet values emitted from + // the logging framework will always have a length that is based on the + // internal IPv6 representation (so you have to substract 96 from it to + // get the correct value for IPv4). + // However, the Input framework expects the "normal" length for an IPv4 + // address (so do not add 96 to it), because the underlying constructors + // for the SubNet type want it like this. struct subnet_t { addr_t prefix; uint8_t length; }; /** From 817b9e01a35b8d9aa9a2d81a041b9f2e8ba7a113 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 10 Apr 2017 15:23:13 -0500 Subject: [PATCH 220/288] Fix some failing tests Increase delay time before launching 2nd process to give bro more of a chance to startup. --- testing/btest/istate/broccoli-ipv6-socket.bro | 2 +- testing/btest/istate/broccoli-ssl.bro | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro index be6266fdec..7365999bb0 100644 --- a/testing/btest/istate/broccoli-ipv6-socket.bro +++ b/testing/btest/istate/broccoli-ipv6-socket.bro @@ -4,7 +4,7 @@ # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1" # # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T" -# @TEST-EXEC: sleep 1 +# @TEST-EXEC: sleep 3 # @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1 # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro index dcbea93150..13b17a0b7b 100644 --- a/testing/btest/istate/broccoli-ssl.bro +++ b/testing/btest/istate/broccoli-ssl.bro @@ -4,7 +4,7 @@ # # @TEST-EXEC: chmod 600 broccoli.conf # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem" -# @TEST-EXEC: sleep 1 +# @TEST-EXEC: sleep 5 # @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout From b3d7d8b1da7721ab69f4a172815201fdc6ebf38b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 17 Apr 2017 12:09:18 -0400 Subject: [PATCH 221/288] Documentation updates for loading Bro scripts. --- doc/quickstart/index.rst | 82 +++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 34 deletions(-) diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst index 811fad53e1..d7e0491501 100644 --- a/doc/quickstart/index.rst +++ b/doc/quickstart/index.rst @@ -316,9 +316,8 @@ Analyzing live traffic from an interface is simple: bro -i en0 -``en0`` can be replaced by the interface of your choice and for the list of -scripts, you can just use "all" for now to perform all the default analysis -that's available. +``en0`` can be replaced by the interface of your choice. A selection +of common base scripts will be loaded by default. Bro will output log files into the working directory. @@ -326,22 +325,6 @@ Bro will output log files into the working directory. capturing as an unprivileged user and checksum offloading are particularly relevant at this point. -To use the site-specific ``local.bro`` script, just add it to the -command-line: - -.. console:: - - bro -i en0 local - -This will cause Bro to print a warning about lacking the -``Site::local_nets`` variable being configured. You can supply this -information at the command line like this (supply your "local" subnets -in place of the example subnets): - -.. console:: - - bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }" - Reading Packet Capture (pcap) Files ----------------------------------- @@ -373,7 +356,6 @@ script that we include as a suggested configuration: bro -r mypackets.trace local - Telling Bro Which Scripts to Load --------------------------------- @@ -381,33 +363,65 @@ A command-line invocation of Bro typically looks like: .. console:: - bro + bro Where the last arguments are the specific policy scripts that this Bro instance will load. These arguments don't have to include the ``.bro`` -file extension, and if the corresponding script resides under the default -installation path, ``$PREFIX/share/bro``, then it requires no path -qualification. Further, a directory of scripts can be specified as -an argument to be loaded as a "package" if it contains a ``__load__.bro`` -script that defines the scripts that are part of the package. +file extension, and if the corresponding script resides in the default +search path, then it requires no path qualification. The following +directories are included in the default search path for Bro scripts:: + + ./ + /share/bro/ + /share/bro/policy/ + /share/bro/site/ -This example does all of the base analysis (primarily protocol -logging) and adds SSL certificate validation. +These prefix paths can be used to load scripts like this: .. console:: - bro -r mypackets.trace protocols/ssl/validate-certs + bro -r mypackets.trace frameworks/files/extract-all + +This will load the +``/share/bro/policy/frameworks/files/extract-all.bro`` script which will +cause Bro to extract all of the files it discovers in the PCAP. + +.. note:: If one wants Bro to be able to load scripts that live outside the + default directories in Bro's installation root, the full path to the file(s) + must be provided. See the default search path by running ``bro --help``. You might notice that a script you load from the command line uses the ``@load`` directive in the Bro language to declare dependence on other scripts. This directive is similar to the ``#include`` of C/C++, except the semantics are, "load this script if it hasn't already been loaded." -.. note:: If one wants Bro to be able to load scripts that live outside the - default directories in Bro's installation root, the ``BROPATH`` environment - variable will need to be extended to include all the directories that need - to be searched for scripts. See the default search path by doing - ``bro --help``. +Further, a directory of scripts can be specified as +an argument to be loaded as a "package" if it contains a ``__load__.bro`` +script that defines the scripts that are part of the package. + +Local site customization +------------------------ + +There is one script that is installed which is considered "local site +customization" and is not overwritten when upgrades take place. To use +the site-specific ``local.bro`` script, just add it to the command-line (can +also be loaded through scripts with @load): + +.. console:: + + bro -i en0 local + +This causes Bro to load a script that prints a warning about lacking the +``Site::local_nets`` variable being configured. You can supply this +information at the command line like this (supply your "local" subnets +in place of the example subnets): + +.. console:: + + bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }" + +When running with Broctl, this value is set by configuring the ``networks.cfg`` +file. Running Bro Without Installing ------------------------------ From 15375ba1e371f99c054b1c948546a5f180093604 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 17 Apr 2017 21:46:58 +0200 Subject: [PATCH 222/288] Guard a few more format strings with __attribute__((format)) This will cause compile-time error messages to be raised if someone passes incorrect parameters to these strings. --- src/Reporter.h | 6 +++--- src/input/Manager.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Reporter.h b/src/Reporter.h index 19cdbb7e82..85b9a483a2 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -66,11 +66,11 @@ public: // Report a runtime error in evaluating a Bro script expression. This // function will not return but raise an InterpreterException. - void ExprRuntimeError(const Expr* expr, const char* fmt, ...); + void ExprRuntimeError(const Expr* expr, const char* fmt, ...) __attribute__((format(printf, 3, 4))); // Report a runtime error in evaluating a Bro script expression. This // function will not return but raise an InterpreterException. - void RuntimeError(const Location* location, const char* fmt, ...); + void RuntimeError(const Location* location, const char* fmt, ...) __attribute__((format(printf, 3, 4))); // Report a traffic weirdness, i.e., an unexpected protocol situation // that may lead to incorrectly processing a connnection. @@ -123,7 +123,7 @@ public: private: void DoLog(const char* prefix, EventHandlerPtr event, FILE* out, Connection* conn, val_list* addl, bool location, bool time, - const char* postfix, const char* fmt, va_list ap); + const char* postfix, const char* fmt, va_list ap) __attribute__((format(printf, 10, 0))); // The order if addl, name needs to be like that since fmt_name can // contain format specifiers diff --git a/src/input/Manager.h b/src/input/Manager.h index e7a1ebe2d6..8296ce9f8b 100644 --- a/src/input/Manager.h +++ b/src/input/Manager.h @@ -240,7 +240,7 @@ private: enum class ErrorType { INFO, WARNING, ERROR }; void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6))); - void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap); + void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) __attribute__((format(printf, 5, 0))); Stream* FindStream(const string &name); Stream* FindStream(ReaderFrontend* reader); From 81dbbbd3a2a61f59d849337c5213c708ae8394c6 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 17 Apr 2017 22:02:39 +0200 Subject: [PATCH 223/288] Update submodule [nomail] --- src/3rdparty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/3rdparty b/src/3rdparty index 5d03436d9d..1dc8599df2 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 5d03436d9db8a6cbaee1f459d654f977ce722467 +Subproject commit 1dc8599df24112504aac5e1256b478eec5054848 From b307b29f422b45dafc98858dae1940e4976797da Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Apr 2017 14:14:00 -0700 Subject: [PATCH 224/288] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 05043bbd04..e174fb0f1f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-125 | 2017-04-17 22:02:39 +0200 + + * Documentation updates for loading Bro scripts. (Seth Hall) + 2.5-123 | 2017-04-10 13:30:14 -0700 * Fix some failing tests by increasing delay times. (Daniel Thayer) diff --git a/VERSION b/VERSION index d59af9fdb3..5217718f6a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-123 +2.5-125 From ad4b2d6880d734465c2dc5b27b9efabf3c14f189 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Apr 2017 14:27:16 -0700 Subject: [PATCH 225/288] Updating submodule(s). [nomail] --- CHANGES | 10 ++++++++++ VERSION | 2 +- aux/broctl | 2 +- aux/btest | 2 +- aux/plugins | 2 +- src/3rdparty | 2 +- 6 files changed, 15 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index e174fb0f1f..2731cfc836 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,14 @@ +2.5-131 | 2017-04-21 14:27:16 -0700 + + * Guard more format strings with __attribute__((format)). (Johanna Amann) + + * Add support for two TLS 1.3 extensions. + + New events: + - event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) + - event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) (Johanna Amann) + 2.5-125 | 2017-04-17 22:02:39 +0200 * Documentation updates for loading Bro scripts. (Seth Hall) diff --git a/VERSION b/VERSION index 5217718f6a..be40786416 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-125 +2.5-131 diff --git a/aux/broctl b/aux/broctl index cf7ea4e1ad..bedd721378 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit cf7ea4e1ad18920058f32e95bbea3bdd765b6094 +Subproject commit bedd7213784b3f1d2ce10ce73b1a9cf9efdc848a diff --git a/aux/btest b/aux/btest index dceda16935..54b92381c1 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit dceda169351ddd0c7fe7a5ae5496be1d7af2367b +Subproject commit 54b92381c1c133376c2c85eeb53b32b068f51067 diff --git a/aux/plugins b/aux/plugins index c4b5df3aa8..62f32f0236 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit c4b5df3aa8e5c58a2dc5e5040c7da8369894f24d +Subproject commit 62f32f02364bd55d802922b33ce8a9d84b8c39f7 diff --git a/src/3rdparty b/src/3rdparty index 5d03436d9d..1dc8599df2 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 5d03436d9db8a6cbaee1f459d654f977ce722467 +Subproject commit 1dc8599df24112504aac5e1256b478eec5054848 From 2c2c9c90521a7993abf5b4f90ff2d78e18860ba2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 22 Apr 2017 08:12:25 -0700 Subject: [PATCH 226/288] Updating submodule(s). [nomail] --- aux/plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/plugins b/aux/plugins index 62f32f0236..5724f8edcc 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 62f32f02364bd55d802922b33ce8a9d84b8c39f7 +Subproject commit 5724f8edcc2b323062715dac8eec4affe1f96696 From 333bb71ed15038831ad6eb67edd9f6d02e26f8f0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 24 Apr 2017 11:57:15 -0700 Subject: [PATCH 227/288] Add rename, unlink, and rmdir bifs. --- src/bro.bif | 86 ++++++++++++++++++- .../Baseline/bifs.directory_operations/out | 10 +++ testing/btest/bifs/directory_operations.bro | 24 ++++++ 3 files changed, 118 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/bifs.directory_operations/out create mode 100644 testing/btest/bifs/directory_operations.bro diff --git a/src/bro.bif b/src/bro.bif index e168016f5e..24f0919bea 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4039,6 +4039,7 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval ## ## .. bro:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all mkdir enable_raw_output +## rmdir unlink rename function open%(f: string%): file %{ const char* file = f->CheckString(); @@ -4058,6 +4059,7 @@ function open%(f: string%): file ## ## .. bro:see:: active_file open close write_file ## get_file_name set_buf flush_all mkdir enable_raw_output +## rmdir unlink rename function open_for_append%(f: string%): file %{ return new Val(new BroFile(f->CheckString(), "a")); @@ -4071,6 +4073,7 @@ function open_for_append%(f: string%): file ## ## .. bro:see:: active_file open open_for_append write_file ## get_file_name set_buf flush_all mkdir enable_raw_output +## rmdir unlink rename function close%(f: file%): bool %{ return new Val(f->Close(), TYPE_BOOL); @@ -4086,6 +4089,7 @@ function close%(f: file%): bool ## ## .. bro:see:: active_file open open_for_append close ## get_file_name set_buf flush_all mkdir enable_raw_output +## rmdir unlink rename function write_file%(f: file, data: string%): bool %{ if ( ! f ) @@ -4106,6 +4110,7 @@ function write_file%(f: file, data: string%): bool ## ## .. bro:see:: active_file open open_for_append close ## get_file_name write_file flush_all mkdir enable_raw_output +## rmdir unlink rename function set_buf%(f: file, buffered: bool%): any %{ f->SetBuf(buffered); @@ -4118,6 +4123,7 @@ function set_buf%(f: file, buffered: bool%): any ## ## .. bro:see:: active_file open open_for_append close ## get_file_name write_file set_buf mkdir enable_raw_output +## rmdir unlink rename function flush_all%(%): bool %{ return new Val(fflush(0) == 0, TYPE_BOOL); @@ -4132,12 +4138,88 @@ function flush_all%(%): bool ## ## .. bro:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output +## rmdir unlink rename function mkdir%(f: string%): bool %{ const char* filename = f->CheckString(); - if ( mkdir(filename, 0777) < 0 && errno != EEXIST ) + if ( mkdir(filename, 0777) < 0 ) { - builtin_error("cannot create directory", @ARG@[0]); + int error = errno; + struct stat filestat; + // check if already exists and is directory. + if ( errno == EEXIST && stat(filename, &filestat) == 0 && S_ISDIR(filestat.st_mode) ) + return new Val(1, TYPE_BOOL); + + builtin_error(fmt("cannot create directory '%s': %s", filename, strerror(error))); + return new Val(0, TYPE_BOOL); + } + else + return new Val(1, TYPE_BOOL); + %} + + +## Removes a directory. +## +## d: The directory name. +## +## Returns: Returns true if the operation succeeds, and false if the +## directory delete operation files. +## +## .. bro:see:: active_file open_for_append close write_file +## get_file_name set_buf flush_all enable_raw_output +## mkdir unlink rename +function rmdir%(d: string%): bool + %{ + const char* dirname = d->CheckString(); + if ( rmdir(dirname) < 0 ) + { + builtin_error(fmt("cannot remove directory '%s': %s", dirname, strerror(errno))); + return new Val(0, TYPE_BOOL); + } + else + return new Val(1, TYPE_BOOL); + %} + +## Removes a file from a directory. +## +## f: the file to delete. +## +## Returns: Returns true if the operation succeeds and the file was deleted, +## and false if the deletion fails. +## +## .. bro:see:: active_file open_for_append close write_file +## get_file_name set_buf flush_all enable_raw_output +## mkdir rmdir rename +function unlink%(f: string%): bool + %{ + const char* filename = f->CheckString(); + if ( unlink(filename) < 0 ) + { + builtin_error(fmt("cannot unlink file '%s': %s", filename, strerror(errno))); + return new Val(0, TYPE_BOOL); + } + else + return new Val(1, TYPE_BOOL); + %} + +## Renames a file from src_f to dst_f. +## +## src_f: the name of the file to rename. +## +## dest_f: the name of the file after the rename operation. +## +## Returns: Returns true if the rename succeeds and false otherwise. +## +## .. bro:see:: active_file open_for_append close write_file +## get_file_name set_buf flush_all enable_raw_output +## mkdir rmdir unlink +function rename%(src_f: string, dst_f: string%): bool + %{ + const char* src_filename = src_f->CheckString(); + const char* dst_filename = dst_f->CheckString(); + if ( rename(src_filename, dst_filename) < 0 ) + { + builtin_error(fmt("cannot rename file '%s' to '%s': %s", src_filename, dst_filename, strerror(errno))); return new Val(0, TYPE_BOOL); } else diff --git a/testing/btest/Baseline/bifs.directory_operations/out b/testing/btest/Baseline/bifs.directory_operations/out new file mode 100644 index 0000000000..8465596a92 --- /dev/null +++ b/testing/btest/Baseline/bifs.directory_operations/out @@ -0,0 +1,10 @@ +T +T +T +T +T +T +F +F +F +F diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.bro new file mode 100644 index 0000000000..9db34511b2 --- /dev/null +++ b/testing/btest/bifs/directory_operations.bro @@ -0,0 +1,24 @@ +# +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +event bro_init() + { + # Test succesful operations... + print mkdir("testdir"); + print mkdir("testdir"); + local a = open("testdir/testfile"); + close(a); + print rename("testdir/testfile", "testdir/testfile2"); + print rename("testdir", "testdir2"); + print unlink("testdir2/testfile2"); + print rmdir("testdir2"); + + + print unlink("nonexisting"); + print rename("a", "b"); + print rmdir("nonexisting"); + a = open("testfile"); + close(a); + print mkdir("testfile"); + } From c868a19a282e81f2f9db55c20b1e53d9caca8920 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 24 Apr 2017 13:12:49 -0700 Subject: [PATCH 228/288] Add gzip log writing to the ascii writer. This feature can be enabled globally for all logs by setting LogAscii::gzip_level to a value greater than 0. This feature can be enabled on a per-log basis by setting gzip-level in $confic to a value greater than 0. --- .../base/frameworks/logging/writers/ascii.bro | 7 ++ src/logging/writers/ascii/Ascii.cc | 91 +++++++++++++++++-- src/logging/writers/ascii/Ascii.h | 5 + src/logging/writers/ascii/ascii.bif | 1 + .../ssh-uncompressed.log | 10 ++ .../ssh.log | 10 ++ .../base/frameworks/logging/ascii-gz.bro | 75 +++++++++++++++ 7 files changed, 191 insertions(+), 8 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-gz.bro diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro index c10c86145e..c7599f9543 100644 --- a/scripts/base/frameworks/logging/writers/ascii.bro +++ b/scripts/base/frameworks/logging/writers/ascii.bro @@ -26,6 +26,13 @@ export { ## This option is also available as a per-filter ``$config`` option. const use_json = F &redef; + ## Define the gzip level to compress the logs. If 0, + ## the no gzip compression is performed. Enabling compression also changes + ## the log file name extension to include ".gz". + ## + ## This option is also available as a per-filter ``$config`` option. + const gzip_level = 0 &redef; + ## Format of timestamps when writing out JSON. By default, the JSON ## formatter will use double values for timestamps which represent the ## number of seconds from the UNIX epoch. diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index d6f5daa7e7..908991c8a3 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -24,6 +24,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend) tsv = false; use_json = false; formatter = 0; + gzip_level = 0; InitConfigOptions(); init_options = InitFilterOptions(); @@ -34,6 +35,7 @@ void Ascii::InitConfigOptions() output_to_stdout = BifConst::LogAscii::output_to_stdout; include_meta = BifConst::LogAscii::include_meta; use_json = BifConst::LogAscii::use_json; + gzip_level = BifConst::LogAscii::gzip_level; separator.assign( (const char*) BifConst::LogAscii::separator->Bytes(), @@ -89,6 +91,15 @@ bool Ascii::InitFilterOptions() } } + else if ( strcmp(i->first, "gzip_level" ) == 0 ) + { + gzip_level = atoi(i->second); + if ( gzip_level < 0 || gzip_level > 9 ) + { + Error("invalid value for 'gzip_level', must be a number between 0 and 9."); + return false; + } + } else if ( strcmp(i->first, "use_json") == 0 ) { if ( strcmp(i->second, "T") == 0 ) @@ -192,7 +203,7 @@ bool Ascii::WriteHeaderField(const string& key, const string& val) { string str = meta_prefix + key + separator + val + "\n"; - return safe_write(fd, str.c_str(), str.length()); + return InternalWrite(fd, str.c_str(), str.length()); } void Ascii::CloseFile(double t) @@ -203,7 +214,7 @@ void Ascii::CloseFile(double t) if ( include_meta && ! tsv ) WriteHeaderField("close", Timestamp(0)); - safe_close(fd); + InternalClose(fd); fd = 0; } @@ -219,7 +230,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * if ( output_to_stdout ) path = "/dev/stdout"; - fname = IsSpecial(path) ? path : path + "." + LogExt(); + fname = IsSpecial(path) ? path : path + "." + LogExt() + (( gzip_level > 0 ) ? ".gz" : ""); fd = open(fname.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666); @@ -231,6 +242,25 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * return false; } + if ( gzip_level > 0 ) + { + assert(gzip_level < 10); + char mode[4]; + snprintf(mode, 3, "wb%d", gzip_level); + errno = 0; // errno will only be set under certain circumstances by gzdopen. + gzfile = gzdopen(fd, mode); + if ( gzfile == nullptr ) + { + Error(Fmt("cannot gzip %s: %s", fname.c_str(), + Strerror(errno))); + return false; + } + } + else + { + gzfile = 0; + } + if ( ! WriteHeader(path) ) { Error(Fmt("error writing to %s: %s", fname.c_str(), Strerror(errno))); @@ -264,7 +294,7 @@ bool Ascii::WriteHeader(const string& path) { // A single TSV-style line is all we need. string str = names + "\n"; - if ( ! safe_write(fd, str.c_str(), str.length()) ) + if ( ! InternalWrite(fd, str.c_str(), str.length()) ) return false; return true; @@ -275,7 +305,7 @@ bool Ascii::WriteHeader(const string& path) + get_escaped_string(separator, false) + "\n"; - if ( ! safe_write(fd, str.c_str(), str.length()) ) + if ( ! InternalWrite(fd, str.c_str(), str.length()) ) return false; if ( ! (WriteHeaderField("set_separator", get_escaped_string(set_separator, false)) && @@ -337,14 +367,14 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields, char hex[4] = {'\\', 'x', '0', '0'}; bytetohex(bytes[0], hex + 2); - if ( ! safe_write(fd, hex, 4) ) + if ( ! InternalWrite(fd, hex, 4) ) goto write_error; ++bytes; --len; } - if ( ! safe_write(fd, bytes, len) ) + if ( ! InternalWrite(fd, bytes, len) ) goto write_error; if ( ! IsBuf() ) @@ -368,7 +398,7 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t CloseFile(close); - string nname = string(rotated_path) + "." + LogExt(); + string nname = string(rotated_path) + "." + LogExt() + (gzfile ? ".gz" : ""); if ( rename(fname.c_str(), nname.c_str()) != 0 ) { @@ -434,4 +464,49 @@ string Ascii::Timestamp(double t) return tmp; } +bool Ascii::InternalWrite(int fd, const char* data, int len) + { + if ( gzfile ) + { + while ( len > 0 ) + { + int n = gzwrite(gzfile, data, len); + + if ( n < 0 ) + { + if ( n == Z_ERRNO ) + Error(Fmt("Ascii::InternalWrite error: %s\n", Strerror(errno))); + else + Error(Fmt("Ascii::InternalWrite error: %s\n", gzerror(gzfile, &n))); + + return false; + } + + data += n; + len -= n; + } + } + else + return safe_write(fd, data, len); + + return true; + } + +bool Ascii::InternalClose(int fd) + { + if ( gzfile ) + { + if ( gzclose(gzfile) < 0 ) + { + Error(Fmt("Ascii::InternalClose error: %s\n", Strerror(errno))); + return false; + } + } + else + { + safe_close(fd); + } + + return true; + } diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h index 8648070111..eabeda4242 100644 --- a/src/logging/writers/ascii/Ascii.h +++ b/src/logging/writers/ascii/Ascii.h @@ -8,6 +8,7 @@ #include "logging/WriterBackend.h" #include "threading/formatters/Ascii.h" #include "threading/formatters/JSON.h" +#include "zlib.h" namespace logging { namespace writer { @@ -42,8 +43,11 @@ private: void InitConfigOptions(); bool InitFilterOptions(); bool InitFormatter(); + bool InternalWrite(int fd, const char* data, int len); + bool InternalClose(int fd); int fd; + gzFile gzfile; string fname; ODesc desc; bool ascii_done; @@ -59,6 +63,7 @@ private: string unset_field; string meta_prefix; + int gzip_level; // level > 0 enables gzip compression bool use_json; string json_timestamps; diff --git a/src/logging/writers/ascii/ascii.bif b/src/logging/writers/ascii/ascii.bif index 2817511152..b12b14f1a0 100644 --- a/src/logging/writers/ascii/ascii.bif +++ b/src/logging/writers/ascii/ascii.bif @@ -12,3 +12,4 @@ const empty_field: string; const unset_field: string; const use_json: bool; const json_timestamps: JSON::TimestampFormat; +const gzip_level: count; diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log new file mode 100644 index 0000000000..c6979d60b9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssh-uncompressed +#open 2017-04-18-16-16-16 +#fields b i e c p sn a d t iv s sc ss se vc ve f +#types bool int enum count port subnet addr double time interval string set[count] set[string] set[string] vector[count] vector[string] func +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1215620010.543210 100.000000 hurz 2,4,1,3 BB,AA,CC (empty) 10,20,30 (empty) SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} +#close 2017-04-18-16-16-16 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log new file mode 100644 index 0000000000..22bac43cef --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssh +#open 2017-04-18-16-15-17 +#fields b i e c p sn a d t iv s sc ss se vc ve f +#types bool int enum count port subnet addr double time interval string set[count] set[string] set[string] vector[count] vector[string] func +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1215620010.543210 100.000000 hurz 2,4,1,3 BB,AA,CC (empty) 10,20,30 (empty) SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} +#close 2017-04-18-16-15-17 diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro new file mode 100644 index 0000000000..9563f42c40 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro @@ -0,0 +1,75 @@ +# +# @TEST-EXEC: bro -b %INPUT +# @TEST-EXEC: gunzip ssh.log.gz +# @TEST-EXEC: btest-diff ssh.log +# @TEST-EXEC: btest-diff ssh-uncompressed.log +# +# Testing all possible types. + +redef LogAscii::gzip_level = 9; + +module SSH; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + b: bool; + i: int; + e: Log::ID; + c: count; + p: port; + sn: subnet; + a: addr; + d: double; + t: time; + iv: interval; + s: string; + sc: set[count]; + ss: set[string]; + se: set[string]; + vc: vector of count; + ve: vector of string; + f: function(i: count) : string; + } &log; +} + +function foo(i : count) : string + { + if ( i > 0 ) + return "Foo"; + else + return "Bar"; + } + +event bro_init() +{ + Log::create_stream(SSH::LOG, [$columns=Log]); + local filter = Log::Filter($name="ssh-uncompressed", $path="ssh-uncompressed", + $config = table(["gzip_level"] = "0")); + Log::add_filter(SSH::LOG, filter); + + local empty_set: set[string]; + local empty_vector: vector of string; + + Log::write(SSH::LOG, [ + $b=T, + $i=-42, + $e=SSH::LOG, + $c=21, + $p=123/tcp, + $sn=10.0.0.1/24, + $a=1.2.3.4, + $d=3.14, + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "2008-07-09T16:13:30Z") + 0.543210 secs), + $iv=100secs, + $s="hurz", + $sc=set(1,2,3,4), + $ss=set("AA", "BB", "CC"), + $se=empty_set, + $vc=vector(10, 20, 30), + $ve=empty_vector, + $f=foo + ]); +} + From 684ea8aa37288407f53342a8af12c547de35d413 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 27 Feb 2017 10:01:14 -0800 Subject: [PATCH 229/288] Plugin: Add hooks for log init and writing. The two hooks being added are: void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields); which is called when a writer is being instantiated and contains information about the fields being logged, as well as bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals); which is called for each log line being written by each writer. It contains all the data being written. The data can be changed in the function call and lines can be prevented from being written. This commit also fixes a few small problems with plugin hooks itself, and extends the tests that were already there, besides introducing tests for the added functionality. --- src/logging/Manager.cc | 30 +++- src/plugin/Manager.cc | 72 +++++++++- src/plugin/Manager.h | 55 +++++++ src/plugin/Plugin.cc | 62 ++++++++ src/plugin/Plugin.h | 127 ++++++++++++++-- src/threading/Formatter.cc | 6 +- src/threading/Formatter.h | 6 +- testing/btest/Baseline/plugins.hooks/output | 39 ++++- .../Baseline/plugins.logging-hooks/output | 1 + .../Baseline/plugins.logging-hooks/ssh.log | 11 ++ .../btest/plugins/hooks-plugin/src/Plugin.cc | 136 ++++++++++++++++++ .../btest/plugins/hooks-plugin/src/Plugin.h | 23 +-- .../logging-hooks-plugin/.btest-ignore | 0 .../logging-hooks-plugin/src/Plugin.cc | 60 ++++++++ .../plugins/logging-hooks-plugin/src/Plugin.h | 28 ++++ testing/btest/plugins/logging-hooks.bro | 72 ++++++++++ 16 files changed, 689 insertions(+), 39 deletions(-) create mode 100644 testing/btest/Baseline/plugins.logging-hooks/output create mode 100644 testing/btest/Baseline/plugins.logging-hooks/ssh.log create mode 100644 testing/btest/plugins/logging-hooks-plugin/.btest-ignore create mode 100644 testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc create mode 100644 testing/btest/plugins/logging-hooks-plugin/src/Plugin.h create mode 100644 testing/btest/plugins/logging-hooks.bro diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 8c720137e8..cb8970049e 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -15,6 +15,8 @@ #include "WriterFrontend.h" #include "WriterBackend.h" #include "logging.bif.h" +#include "../plugin/Plugin.h" +#include "../plugin/Manager.h" #ifdef ENABLE_BROKER #include "broker/Manager.h" @@ -62,6 +64,7 @@ struct Manager::WriterInfo { WriterFrontend* writer; WriterBackend::WriterInfo* info; bool from_remote; + bool hook_initialized; string instantiating_filter; }; @@ -840,12 +843,21 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) path = filter->path = filter->path_val->AsString()->CheckString(); } + WriterBackend::WriterInfo* info = 0; WriterFrontend* writer = 0; if ( w != stream->writers.end() ) { // We know this writer already. writer = w->second->writer; + info = w->second->info; + if ( ! w->second->hook_initialized ) + { + auto wi = w->second; + wi->hook_initialized = true; + PLUGIN_HOOK_VOID(HOOK_LOG_INIT, HookLogInit(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()), wi->instantiating_filter, filter->local, filter->remote, *wi->info, filter->num_fields, filter->fields)); + } + } else @@ -874,7 +886,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) arg_fields[j] = new threading::Field(*filter->fields[j]); } - WriterBackend::WriterInfo* info = new WriterBackend::WriterInfo; + info = new WriterBackend::WriterInfo; info->path = copy_string(path.c_str()); info->network_time = network_time; @@ -909,6 +921,16 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) threading::Value** vals = RecordToFilterVals(stream, filter, columns); + if ( ! PLUGIN_HOOK_WITH_RESULT(HOOK_LOG_WRITE, HookLogWrite(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()), filter->name, *info, filter->num_fields, filter->fields, vals), true) ) + { + DeleteVals(filter->num_fields, vals); +#ifdef DEBUG + DBG_LOG(DBG_LOGGING, "Hook prevented writing to filter '%s' on stream '%s'", + filter->name.c_str(), stream->name.c_str()); +#endif + return true; + } + // Write takes ownership of vals. assert(writer); writer->Write(filter->num_fields, vals); @@ -1165,6 +1187,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken winfo->postprocessor = 0; winfo->info = info; winfo->from_remote = from_remote; + winfo->hook_initialized = false; winfo->instantiating_filter = instantiating_filter; // Search for a corresponding filter for the writer/path pair and use its @@ -1214,6 +1237,11 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken #endif winfo->writer->Init(num_fields, fields); + if ( ! from_remote ) + { + winfo->hook_initialized = true; + PLUGIN_HOOK_VOID(HOOK_LOG_INIT, HookLogInit(writer->Type()->AsEnumType()->Lookup(writer->InternalInt()), instantiating_filter, local, remote, *winfo->info, num_fields, fields)); + } InstallRotationTimer(winfo); return winfo->writer; diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index c672614957..d616e23f6a 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -712,7 +712,7 @@ void Manager::HookSetupAnalyzerTree(Connection *conn) const if ( HavePluginForHook(META_HOOK_PRE) ) { - args.push_back(conn); + args.push_back(HookArgument(conn)); MetaHookPre(HOOK_SETUP_ANALYZER_TREE, args); } @@ -739,7 +739,7 @@ void Manager::HookUpdateNetworkTime(double network_time) const if ( HavePluginForHook(META_HOOK_PRE) ) { - args.push_back(network_time); + args.push_back(HookArgument(network_time)); MetaHookPre(HOOK_UPDATE_NETWORK_TIME, args); } @@ -762,7 +762,7 @@ void Manager::HookBroObjDtor(void* obj) const if ( HavePluginForHook(META_HOOK_PRE) ) { - args.push_back(obj); + args.push_back(HookArgument(obj)); MetaHookPre(HOOK_BRO_OBJ_DTOR, args); } @@ -779,6 +779,72 @@ void Manager::HookBroObjDtor(void* obj) const MetaHookPost(HOOK_BRO_OBJ_DTOR, args, HookArgument()); } +void Manager::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) const + { + HookArgumentList args; + + if ( HavePluginForHook(META_HOOK_PRE) ) + { + args.push_back(HookArgument(writer)); + args.push_back(HookArgument(instantiating_filter)); + args.push_back(HookArgument(local)); + args.push_back(HookArgument(remote)); + args.push_back(HookArgument(&info)); + args.push_back(HookArgument(num_fields)); + args.push_back(HookArgument(std::make_pair(num_fields, fields))); + MetaHookPre(HOOK_LOG_INIT, args); + } + + hook_list* l = hooks[HOOK_LOG_INIT]; + + if ( l ) + for ( hook_list::iterator i = l->begin(); i != l->end(); ++i ) + { + Plugin* p = (*i).second; + p->HookLogInit(writer, instantiating_filter, local, remote, info, num_fields, fields); + } + + if ( HavePluginForHook(META_HOOK_POST) ) + MetaHookPost(HOOK_LOG_INIT, args, HookArgument()); + } + +bool Manager::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) const + { + HookArgumentList args; + + if ( HavePluginForHook(META_HOOK_PRE) ) + { + args.push_back(HookArgument(writer)); + args.push_back(HookArgument(filter)); + args.push_back(HookArgument(&info)); + args.push_back(HookArgument(num_fields)); + args.push_back(HookArgument(std::make_pair(num_fields, fields))); + args.push_back(HookArgument(vals)); + MetaHookPre(HOOK_LOG_WRITE, args); + } + + hook_list* l = hooks[HOOK_LOG_WRITE]; + + bool result = true; + + if ( l ) + for ( hook_list::iterator i = l->begin(); i != l->end(); ++i ) + { + Plugin* p = (*i).second; + + if ( ! p->HookLogWrite(writer, filter, info, num_fields, fields, vals) ) + { + result = false; + break; + } + } + + if ( HavePluginForHook(META_HOOK_POST) ) + MetaHookPost(HOOK_LOG_WRITE, args, HookArgument(result)); + + return result; + } + void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const { hook_list* l = hooks[HOOK_CALL_FUNCTION]; diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 2a394b39ee..f2bf5302bb 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -291,6 +291,61 @@ public: */ void HookBroObjDtor(void* obj) const; + /** + * Hook into log initialization. This method will be called when a + * logging writer is created. A writer represents a single logging + * filter. The method is called in the main thread, on the node that + * causes a log line to be written. It will _not_ be called on the logger + * node. The function will be called each for every instantiated writer. + * + * @param writer The name of the writer being insantiated. + * + * @param instantiating_filter Name of the filter causing the + * writer instantiation. + * + * @param local True if the filter is logging locally (writer + * thread will be located in same process). + * + * @param remote True if filter is logging remotely (writer thread + * will be located in different thread, typically + * in manager or logger node). + * + * @param info WriterBackend::WriterInfo with information about the writer. + * + * @param num_fields number of fields in the record being written. + * + * @param fields threading::Field description of the fields being logged. + */ + void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) const; + + /** + * Hook into log writing. This method will be called for each log line + * being written by each writer. Each writer represents a single logging + * filter. The method is called in the main thread, on the node that + * causes a log line to be written. It will _not_ be called on the logger + * node. The function will be called each for every instantiated writer. + * This function allows plugins to modify or skip logging of information. + * Note - once a log line is skipped (by returning false), it will not passed + * on to hooks that have not yet been called. + * + * @param writer The name of the writer. + * + * @param filter Name of the filter being written to. + * + * @param info WriterBackend::WriterInfo with information about the writer. + * + * @param num_fields number of fields in the record being written. + * + * @param fields threading::Field description of the fields being logged. + * + * @param vals threading::Values containing the values being written. Values + * can be modified in the Hook. + * + * @return true if log line should be written, false if log line should be + * skipped and not passed on to the writer. + */ + bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) const; + /** * Internal method that registers a freshly instantiated plugin with * the manager. diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index b0eb19a628..75658f13de 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -10,6 +10,8 @@ #include "../Desc.h" #include "../Event.h" +#include "../Conn.h" +#include "threading/SerialTypes.h" using namespace plugin; @@ -24,6 +26,8 @@ const char* plugin::hook_name(HookType h) "UpdateNetworkTime", "BroObjDtor", "SetupAnalyzerTree", + "LogInit", + "LogWrite", // MetaHooks "MetaHookPre", "MetaHookPost", @@ -84,6 +88,11 @@ void HookArgument::Describe(ODesc* d) const d->Add(""); break; + case CONN: + if ( arg.conn ) + arg.conn->Describe(d); + break; + case FUNC_RESULT: if ( func_result.first ) { @@ -145,6 +154,50 @@ void HookArgument::Describe(ODesc* d) const case VOIDP: d->Add(""); break; + + case WRITER_INFO: + d->Add(arg.winfo->path); + d->Add("("); + d->Add(arg.winfo->network_time); + d->Add(","); + d->Add(arg.winfo->rotation_interval); + d->Add(","); + d->Add(arg.winfo->rotation_base); + if ( arg.winfo->config.size() > 0 ) + { + bool first = true; + d->Add("config: {"); + for ( auto& v: arg.winfo->config ) + { + if ( ! first ) + d->Add(", "); + + d->Add(v.first); + d->Add(": "); + d->Add(v.second); + first = false; + } + d->Add("}"); + } + d->Add(")"); + break; + + case THREAD_FIELDS: + d->Add("{"); + for ( int i=0; i < tfields.first; i++ ) + { + const threading::Field* f = tfields.second[i]; + + if ( i > 0 ) + d->Add(", "); + + d->Add(f->name); + d->Add(" ("); + d->Add(f->TypeName()); + d->Add(")"); + } + d->Add("}"); + break; } } @@ -319,6 +372,15 @@ void Plugin::HookBroObjDtor(void* obj) { } +void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) + { + } + +bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) + { + return true; + } + void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args) { } diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 49fa7cdd84..e3e8764884 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -11,16 +11,21 @@ #include "analyzer/Component.h" #include "file_analysis/Component.h" #include "iosource/Component.h" +#include "logging/WriterBackend.h" // We allow to override this externally for testing purposes. #ifndef BRO_PLUGIN_API_VERSION -#define BRO_PLUGIN_API_VERSION 4 +#define BRO_PLUGIN_API_VERSION 5 #endif class ODesc; class Func; class Event; +namespace threading { +struct Field; +} + namespace plugin { class Manager; @@ -39,7 +44,9 @@ enum HookType { HOOK_DRAIN_EVENTS, //< Activates Plugin::HookDrainEvents() HOOK_UPDATE_NETWORK_TIME, //< Activates Plugin::HookUpdateNetworkTime. HOOK_BRO_OBJ_DTOR, //< Activates Plugin::HookBroObjDtor. - HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookSetupAnalyzerTree + HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookAddToAnalyzerTree + HOOK_LOG_INIT, //< Activates Plugin::HookLogInit + HOOK_LOG_WRITE, //< Activates Plugin::HookLogWrite // Meta hooks. META_HOOK_PRE, //< Activates Plugin::MetaHookPre(). @@ -158,7 +165,8 @@ public: * Type of the argument. */ enum Type { - BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, VAL_LIST, VOID, VOIDP + BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, VAL_LIST, VOID, VOIDP, + WRITER_INFO, CONN, THREAD_FIELDS }; /** @@ -169,57 +177,72 @@ public: /** * Constructor with a boolean argument. */ - HookArgument(bool a) { type = BOOL; arg.bool_ = a; } + explicit HookArgument(bool a) { type = BOOL; arg.bool_ = a; } /** * Constructor with a double argument. */ - HookArgument(double a) { type = DOUBLE; arg.double_ = a; } + explicit HookArgument(double a) { type = DOUBLE; arg.double_ = a; } /** * Constructor with an event argument. */ - HookArgument(const Event* a) { type = EVENT; arg.event = a; } + explicit HookArgument(const Event* a) { type = EVENT; arg.event = a; } + + /** + * Constructor with an connection argument. + */ + explicit HookArgument(const Connection* c) { type = CONN; arg.conn = c; } /** * Constructor with a function argument. */ - HookArgument(const Func* a) { type = FUNC; arg.func = a; } + explicit HookArgument(const Func* a) { type = FUNC; arg.func = a; } /** * Constructor with an integer argument. */ - HookArgument(int a) { type = INT; arg.int_ = a; } + explicit HookArgument(int a) { type = INT; arg.int_ = a; } /** * Constructor with a string argument. */ - HookArgument(const std::string& a) { type = STRING; arg_string = a; } + explicit HookArgument(const std::string& a) { type = STRING; arg_string = a; } /** * Constructor with a Bro value argument. */ - HookArgument(const Val* a) { type = VAL; arg.val = a; } + explicit HookArgument(const Val* a) { type = VAL; arg.val = a; } /** * Constructor with a list of Bro values argument. */ - HookArgument(const val_list* a) { type = VAL_LIST; arg.vals = a; } + explicit HookArgument(const val_list* a) { type = VAL_LIST; arg.vals = a; } /** * Constructor with a void pointer argument. */ - HookArgument(void* p) { type = VOIDP; arg.voidp = p; } + explicit HookArgument(void* p) { type = VOIDP; arg.voidp = p; } /** * Constructor with a function result argument. */ - HookArgument(std::pair fresult) { type = FUNC_RESULT; func_result = fresult; } + explicit HookArgument(std::pair fresult) { type = FUNC_RESULT; func_result = fresult; } /** * Constructor with a Frame argument. */ - HookArgument(Frame* f) { type = FRAME; arg.frame = f; } + explicit HookArgument(Frame* f) { type = FRAME; arg.frame = f; } + + /** + * Constructor with a WriterInfo argument. + */ + explicit HookArgument(const logging::WriterBackend::WriterInfo* i) { type = WRITER_INFO; arg.winfo = i; } + + /** + * Constructor with a threading field argument. + */ + explicit HookArgument(const std::pair fpair) { type = THREAD_FIELDS; tfields = fpair; } /** * Returns the value for a boolen argument. The argument's type must @@ -239,6 +262,12 @@ public: */ const Event* AsEvent() const { assert(type == EVENT); return arg.event; } + /** + * Returns the value for an connection argument. The argument's type must + * match accordingly. + */ + const Connection* AsConnection() const { assert(type == CONN); return arg.conn; } + /** * Returns the value for a function argument. The argument's type must * match accordingly. @@ -275,6 +304,18 @@ public: */ const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; } + /** + * Returns the value for a logging WriterInfo argument. The argument's type must + * match accordingly. + */ + const logging::WriterBackend::WriterInfo* AsWriterInfo() const { assert(type == WRITER_INFO); return arg.winfo; } + + /** + * Returns the value for a threading fields argument. The argument's type must + * match accordingly. + */ + const std::pair AsThreadFields() const { assert(type == THREAD_FIELDS); return tfields; } + /** * Returns the value for a list of Bro values argument. The argument's type must * match accordingly. @@ -305,16 +346,19 @@ private: bool bool_; double double_; const Event* event; + const Connection* conn; const Func* func; const Frame* frame; int int_; const Val* val; const val_list* vals; const void* voidp; + const logging::WriterBackend::WriterInfo* winfo; } arg; // Outside union because these have dtors. std::pair func_result; + std::pair tfields; std::string arg_string; }; @@ -663,6 +707,61 @@ protected: */ virtual void HookBroObjDtor(void* obj); + /** + * Hook into log initialization. This method will be called when a + * logging writer is created. A writer represents a single logging + * filter. The method is called in the main thread, on the node that + * causes a log line to be written. It will _not_ be called on the logger + * node. The function will be called each for every instantiated writer. + * + * @param writer The name of the writer being insantiated. + * + * @param instantiating_filter Name of the filter causing the + * writer instantiation. + * + * @param local True if the filter is logging locally (writer + * thread will be located in same process). + * + * @param remote True if filter is logging remotely (writer thread + * will be located in different thread, typically + * in manager or logger node). + * + * @param info WriterBackend::WriterInfo with information about the writer. + * + * @param num_fields number of fields in the record being written. + * + * @param fields threading::Field description of the fields being logged. + */ + virtual void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields); + + /** + * Hook into log writing. This method will be called for each log line + * being written by each writer. Each writer represents a single logging + * filter. The method is called in the main thread, on the node that + * causes a log line to be written. It will _not_ be called on the logger + * node. The function will be called each for every instantiated writer. + * This function allows plugins to modify or skip logging of information. + * Note - once a log line is skipped (by returning false), it will not passed + * on to hooks that have not yet been called. + * + * @param writer The name of the writer. + * + * @param filter Name of the filter being written to. + * + * @param info WriterBackend::WriterInfo with information about the writer. + * + * @param num_fields number of fields in the record being written. + * + * @param fields threading::Field description of the fields being logged. + * + * @param vals threading::Values containing the values being written. Values + * can be modified in the Hook. + * + * @return true if log line should be written, false if log line should be + * skipped and not passed on to the writer. + */ + virtual bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals); + // Meta hooks. /** diff --git a/src/threading/Formatter.cc b/src/threading/Formatter.cc index 3f366de90a..b881962732 100644 --- a/src/threading/Formatter.cc +++ b/src/threading/Formatter.cc @@ -22,7 +22,7 @@ Formatter::~Formatter() { } -string Formatter::Render(const threading::Value::addr_t& addr) const +string Formatter::Render(const threading::Value::addr_t& addr) { if ( addr.family == IPv4 ) { @@ -90,7 +90,7 @@ threading::Value::addr_t Formatter::ParseAddr(const string &s) const return val; } -string Formatter::Render(const threading::Value::subnet_t& subnet) const +string Formatter::Render(const threading::Value::subnet_t& subnet) { char l[16]; @@ -104,7 +104,7 @@ string Formatter::Render(const threading::Value::subnet_t& subnet) const return s; } -string Formatter::Render(double d) const +string Formatter::Render(double d) { char buf[256]; modp_dtoa(d, buf, 6); diff --git a/src/threading/Formatter.h b/src/threading/Formatter.h index c8337959bf..c564f3c945 100644 --- a/src/threading/Formatter.h +++ b/src/threading/Formatter.h @@ -87,7 +87,7 @@ public: * * @return An ASCII representation of the address. */ - string Render(const threading::Value::addr_t& addr) const; + static string Render(const threading::Value::addr_t& addr); /** * Convert an subnet value into a string. @@ -98,7 +98,7 @@ public: * * @return An ASCII representation of the subnet. */ - string Render(const threading::Value::subnet_t& subnet) const; + static string Render(const threading::Value::subnet_t& subnet); /** * Convert a double into a string. This renders the double with Bro's @@ -110,7 +110,7 @@ public: * * @return An ASCII representation of the double. */ - string Render(double d) const; + static string Render(double d); /** * Convert a string into a TransportProto. The string must be one of diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 420d20ae12..fcf29f2b04 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -712,6 +712,8 @@ 0.000000 MetaHookPost LoadFile(base<...>/weird) -> -1 0.000000 MetaHookPost LoadFile(base<...>/x509) -> -1 0.000000 MetaHookPost LoadFile(base<...>/xmpp) -> -1 +0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> +0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false 0.000000 MetaHookPost QueueEvent(bro_init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false @@ -964,7 +966,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1094,7 +1096,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1429,6 +1431,8 @@ 0.000000 MetaHookPre LoadFile(base<...>/weird) 0.000000 MetaHookPre LoadFile(base<...>/x509) 0.000000 MetaHookPre LoadFile(base<...>/xmpp) +0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) +0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) 0.000000 MetaHookPre QueueEvent(bro_init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) @@ -1680,7 +1684,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1810,7 +1814,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -1851,6 +1855,8 @@ 0.000000 | HookLoadFile <...>/bro 0.000000 | HookLoadFile base<...>/bif 0.000000 | HookLoadFile base<...>/bro +0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} +0.000000 | HookLogWrite packet_filter [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() @@ -1865,6 +1871,7 @@ 1362692526.869344 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false 1362692526.869344 MetaHookPost QueueEvent(filter_change_tracking()) -> false 1362692526.869344 MetaHookPost QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false +1362692526.869344 MetaHookPost SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> 1362692526.869344 MetaHookPost UpdateNetworkTime(1362692526.869344) -> 1362692526.869344 MetaHookPre BroObjDtor() 1362692526.869344 MetaHookPre CallFunction(ChecksumOffloading::check, , ()) @@ -1877,6 +1884,7 @@ 1362692526.869344 MetaHookPre QueueEvent(ChecksumOffloading::check()) 1362692526.869344 MetaHookPre QueueEvent(filter_change_tracking()) 1362692526.869344 MetaHookPre QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) +1362692526.869344 MetaHookPre SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) 1362692526.869344 MetaHookPre UpdateNetworkTime(1362692526.869344) 1362692526.869344 | HookBroObjDtor 1362692526.869344 | HookUpdateNetworkTime 1362692526.869344 @@ -1890,6 +1898,7 @@ 1362692526.869344 | HookQueueEvent ChecksumOffloading::check() 1362692526.869344 | HookQueueEvent filter_change_tracking() 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) +1362692526.869344 | HookSetupAnalyzerTree 1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80 1362692526.869344 | RequestObjDtor ChecksumOffloading::check() 1362692526.939084 MetaHookPost CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) -> 1362692526.939084 MetaHookPost CallFunction(addr_to_subnet, , (141.142.228.5)) -> @@ -2204,6 +2213,10 @@ 1362692527.009775 MetaHookPost CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009775 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost DrainEvents() -> +1362692527.009775 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -> +1362692527.009775 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> +1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, ) -> true +1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) -> true 1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false 1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -2229,6 +2242,10 @@ 1362692527.009775 MetaHookPre CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009775 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre DrainEvents() +1362692527.009775 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) +1362692527.009775 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) +1362692527.009775 MetaHookPre LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, ) +1362692527.009775 MetaHookPre LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) 1362692527.009775 MetaHookPre QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) 1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -2255,6 +2272,10 @@ 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookDrainEvents +1362692527.009775 | HookLogInit files 1/1 {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)} +1362692527.009775 | HookLogInit http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])} +1362692527.009775 | HookLogWrite files [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts=192.150.187.43, rx_hosts=141.142.228.5, conn_uids=CHhAvVGS1DHFjwGM9, source=HTTP, depth=0, analyzers=, mime_type=text/plain, filename=, duration=0.000263, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, extracted=, extracted_cutoff=, extracted_size=] +1362692527.009775 | HookLogWrite http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain] 1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]) 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -2309,6 +2330,8 @@ 1362692527.080972 MetaHookPost CallFunction(sub_bytes, , (HTTP, 0, 1)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, , (HTTP)) -> 1362692527.080972 MetaHookPost DrainEvents() -> +1362692527.080972 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> +1362692527.080972 MetaHookPost LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, ) -> true 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false 1362692527.080972 MetaHookPost QueueEvent(bro_done()) -> false 1362692527.080972 MetaHookPost QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false @@ -2340,6 +2363,8 @@ 1362692527.080972 MetaHookPre CallFunction(sub_bytes, , (HTTP, 0, 1)) 1362692527.080972 MetaHookPre CallFunction(to_lower, , (HTTP)) 1362692527.080972 MetaHookPre DrainEvents() +1362692527.080972 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) +1362692527.080972 MetaHookPre LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, ) 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) 1362692527.080972 MetaHookPre QueueEvent(bro_done()) 1362692527.080972 MetaHookPre QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) @@ -2372,6 +2397,8 @@ 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1) 1362692527.080972 | HookCallFunction to_lower(HTTP) 1362692527.080972 | HookDrainEvents +1362692527.080972 | HookLogInit conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])} +1362692527.080972 | HookLogWrite conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=] 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() 1362692527.080972 | HookQueueEvent bro_done() 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) diff --git a/testing/btest/Baseline/plugins.logging-hooks/output b/testing/btest/Baseline/plugins.logging-hooks/output new file mode 100644 index 0000000000..54330845bc --- /dev/null +++ b/testing/btest/Baseline/plugins.logging-hooks/output @@ -0,0 +1 @@ +1488216470.960453 | HookLogInit ssh 1/1 {b (bool), i (int), e (enum), c (count), p (port), sn (subnet), a (addr), d (double), t (time), iv (interval), s (string), sc (set[count]), ss (set[string]), se (set[string]), vc (vector[count]), ve (vector[string]), f (func)} diff --git a/testing/btest/Baseline/plugins.logging-hooks/ssh.log b/testing/btest/Baseline/plugins.logging-hooks/ssh.log new file mode 100644 index 0000000000..4b62eb8aca --- /dev/null +++ b/testing/btest/Baseline/plugins.logging-hooks/ssh.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field EMPTY +#unset_field - +#path ssh +#open 2017-02-27-17-27-50 +#fields b i e c p sn a d t iv s sc ss se vc ve f +#types bool int enum count port subnet addr double time interval string set[count] set[string] set[string] vector[count] vector[string] func +F -2 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1488216470.960453 100.000000 hurz 2,4,1,3 BB,AA,CC EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} +T - SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1488216470.960453 100.000000 hurz 2,4,1,3 BB,AA,CC EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} +#close 2017-02-27-17-27-50 diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc index 407ad1c242..d636e12b7c 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc @@ -3,6 +3,8 @@ #include #include +#include +#include namespace plugin { namespace Demo_Hooks { Plugin plugin; } } @@ -18,6 +20,9 @@ plugin::Configuration Plugin::Configure() EnableHook(META_HOOK_PRE); EnableHook(META_HOOK_POST); EnableHook(HOOK_BRO_OBJ_DTOR); + EnableHook(HOOK_SETUP_ANALYZER_TREE); + EnableHook(HOOK_LOG_INIT); + EnableHook(HOOK_LOG_WRITE); plugin::Configuration config; config.name = "Demo::Hooks"; @@ -121,3 +126,134 @@ void Plugin::MetaHookPost(HookType hook, const HookArgumentList& args, HookArgum hook_name(hook), d1.Description(), d2.Description()); } + +void Plugin::HookSetupAnalyzerTree(Connection *conn) + { + ODesc d; + d.SetShort(); + conn->Describe(&d); + + fprintf(stderr, "%.6f %-15s %s\n", network_time, "| HookSetupAnalyzerTree", d.Description()); + } + +void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) + { + ODesc d; + + d.Add("{"); + for ( int i=0; i < num_fields; i++ ) + { + const threading::Field* f = fields[i]; + + if ( i > 0 ) + d.Add(", "); + + d.Add(f->name); + d.Add(" ("); + d.Add(f->TypeName()); + d.Add(")"); + } + d.Add("}"); + + fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description()); + } + +void Plugin::RenderVal(const threading::Value* val, ODesc &d) const + { + if ( ! val->present ) + { + d.Add(""); + return; + } + + switch ( val->type ) { + + case TYPE_BOOL: + d.Add(val->val.int_val ? "T" : "F"); + break; + + case TYPE_INT: + d.Add(val->val.int_val); + break; + + case TYPE_COUNT: + case TYPE_COUNTER: + d.Add(val->val.uint_val); + break; + + case TYPE_PORT: + d.Add(val->val.port_val.port); + break; + + case TYPE_SUBNET: + d.Add(threading::formatter::Formatter::Render(val->val.subnet_val)); + break; + + case TYPE_ADDR: + d.Add(threading::formatter::Formatter::Render(val->val.addr_val)); + break; + + case TYPE_DOUBLE: + d.Add(val->val.double_val, true); + break; + + case TYPE_INTERVAL: + case TYPE_TIME: + d.Add(threading::formatter::Formatter::Render(val->val.double_val)); + break; + + case TYPE_ENUM: + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: + d.AddN(val->val.string_val.data, val->val.string_val.length); + break; + + case TYPE_TABLE: + for ( int j = 0; j < val->val.set_val.size; j++ ) + { + if ( j > 0 ) + d.Add(","); + + RenderVal(val->val.set_val.vals[j], d); + } + break; + + case TYPE_VECTOR: + for ( int j = 0; j < val->val.vector_val.size; j++ ) + { + if ( j > 0 ) + d.Add(","); + + RenderVal(val->val.vector_val.vals[j], d); + } + break; + + default: + assert(false); + } + } + +bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) + { + ODesc d; + + d.Add("["); + for ( int i=0; i < num_fields; i++ ) + { + const threading::Field* f = fields[i]; + const threading::Value* val = vals[i]; + + if ( i > 0 ) + d.Add(", "); + + d.Add(f->name); + d.Add("="); + + RenderVal(val, d); + } + d.Add("]"); + + fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLogWrite", info.path, d.Description()); + return true; + } diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h index efbd25bc2d..64227c0660 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.h +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h @@ -10,17 +10,22 @@ namespace Demo_Hooks { class Plugin : public ::plugin::Plugin { protected: - virtual int HookLoadFile(const std::string& file, const std::string& ext); - virtual std::pair HookCallFunction(const Func* func, Frame* frame, val_list* args); - virtual bool HookQueueEvent(Event* event); - virtual void HookDrainEvents(); - virtual void HookUpdateNetworkTime(double network_time); - virtual void HookBroObjDtor(void* obj); - virtual void MetaHookPre(HookType hook, const HookArgumentList& args); - virtual void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result); + int HookLoadFile(const std::string& file, const std::string& ext) override; + std::pair HookCallFunction(const Func* func, Frame* frame, val_list* args) override; + bool HookQueueEvent(Event* event) override; + void HookDrainEvents() override; + void HookUpdateNetworkTime(double network_time) override; + void HookBroObjDtor(void* obj) override; + void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override; + bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override; + void HookSetupAnalyzerTree(Connection *conn) override; + void MetaHookPre(HookType hook, const HookArgumentList& args) override; + void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) override; + + void RenderVal(const threading::Value* val, ODesc &d) const; // Overridden from plugin::Plugin. - virtual plugin::Configuration Configure(); + plugin::Configuration Configure() override; }; extern Plugin plugin; diff --git a/testing/btest/plugins/logging-hooks-plugin/.btest-ignore b/testing/btest/plugins/logging-hooks-plugin/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc new file mode 100644 index 0000000000..32dd2b17b3 --- /dev/null +++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc @@ -0,0 +1,60 @@ + +#include "Plugin.h" + +#include +#include +#include +#include + +namespace plugin { namespace Log_Hooks { Plugin plugin; } } + +using namespace plugin::Log_Hooks; + +plugin::Configuration Plugin::Configure() + { + round = 0; + EnableHook(HOOK_LOG_INIT); + EnableHook(HOOK_LOG_WRITE); + + plugin::Configuration config; + config.name = "Log::Hooks"; + config.description = "Exercises Log hooks"; + config.version.major = 1; + config.version.minor = 0; + return config; + } + +void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) + { + ODesc d; + + d.Add("{"); + for ( int i=0; i < num_fields; i++ ) + { + const threading::Field* f = fields[i]; + + if ( i > 0 ) + d.Add(", "); + + d.Add(f->name); + d.Add(" ("); + d.Add(f->TypeName()); + d.Add(")"); + } + d.Add("}"); + + fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description()); + } + +bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) + { + round++; + if ( round == 1 ) // do not output line + return false; + else if ( round == 2 ) + vals[0]->val.int_val = 0; + else if ( round == 3 ) + vals[1]->present = false; + + return true; + } diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h new file mode 100644 index 0000000000..12b821c22c --- /dev/null +++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h @@ -0,0 +1,28 @@ + +#ifndef BRO_PLUGIN_Log_Hooks +#define BRO_PLUGIN_Log_Hooks + +#include + +namespace plugin { +namespace Log_Hooks { + +class Plugin : public ::plugin::Plugin +{ +protected: + void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override; + bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override; + + // Overridden from plugin::Plugin. + plugin::Configuration Configure() override; + +private: + int round; +}; + +extern Plugin plugin; + +} +} + +#endif diff --git a/testing/btest/plugins/logging-hooks.bro b/testing/btest/plugins/logging-hooks.bro new file mode 100644 index 0000000000..f2ca926c06 --- /dev/null +++ b/testing/btest/plugins/logging-hooks.bro @@ -0,0 +1,72 @@ +# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Log Hooks +# @TEST-EXEC: cp -r %DIR/logging-hooks-plugin/* . +# @TEST-EXEC: ./configure --bro-dist=${DIST} && make +# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Log::Hooks" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff ssh.log + +redef LogAscii::empty_field = "EMPTY"; + +module SSH; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + b: bool; + i: int &optional; + e: Log::ID; + c: count; + p: port; + sn: subnet; + a: addr; + d: double; + t: time; + iv: interval; + s: string; + sc: set[count]; + ss: set[string]; + se: set[string]; + vc: vector of count; + ve: vector of string; + f: function(i: count) : string; + } &log; +} + +function foo(i : count) : string + { + if ( i > 0 ) + return "Foo"; + else + return "Bar"; + } + +event bro_init() +{ + Log::create_stream(SSH::LOG, [$columns=Log]); + + local empty_set: set[string]; + local empty_vector: vector of string; + + local i = 0; + while ( ++i < 4 ) + Log::write(SSH::LOG, [ + $b=T, + $i=-i, + $e=SSH::LOG, + $c=21, + $p=123/tcp, + $sn=10.0.0.1/24, + $a=1.2.3.4, + $d=3.14, + $t=network_time(), + $iv=100secs, + $s="hurz", + $sc=set(1,2,3,4), + $ss=set("AA", "BB", "CC"), + $se=empty_set, + $vc=vector(10, 20, 30), + $ve=empty_vector, + $f=foo + ]); +} From 7f292dc4ad0239d34f6b849a00f37f9c87d822a4 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 2 May 2017 11:51:36 -0700 Subject: [PATCH 230/288] TLS: Fix compile warning (comparison between signed/unsigned). This was introduced with the addition of new TLS1.3 extensions. --- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index c85f3205ef..fc4c879e81 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -195,7 +195,7 @@ refine connection Handshake_Conn += { if ( versions_list ) { - for ( int i = 0; i < versions_list->size(); ++i ) + for ( unsigned int i = 0; i < versions_list->size(); ++i ) versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT)); } @@ -211,7 +211,7 @@ refine connection Handshake_Conn += { if ( mode_list ) { - for ( int i = 0; i < mode_list->size(); ++i ) + for ( unsigned int i = 0; i < mode_list->size(); ++i ) modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT)); } From ff998dfa435b2063b85b7a6ad4ffa477130f7df5 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 3 May 2017 13:14:20 -0700 Subject: [PATCH 231/288] Lessen cluster node of notice suppression. With this commit, the data structure that is transfered for notice suppression is much smaller than before, not including potentially complex data structures like the fa_file record. --- scripts/base/frameworks/notice/cluster.bro | 6 +++--- scripts/base/frameworks/notice/main.bro | 13 +++++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro index 3c3fbc6d36..2a45f957a8 100644 --- a/scripts/base/frameworks/notice/cluster.bro +++ b/scripts/base/frameworks/notice/cluster.bro @@ -21,10 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/; redef Cluster::worker2manager_events += /Notice::cluster_notice/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) -event Notice::begin_suppression(n: Notice::Info) +event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type, identifier: string) { - local suppress_until = n$ts + n$suppress_for; - suppressing[n$note, n$identifier] = suppress_until; + local suppress_until = ts + suppress_for; + suppressing[note, identifier] = suppress_until; } @endif diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index a203f6a772..aa88c26174 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -261,9 +261,14 @@ export { ## This event is generated when a notice begins to be suppressed. ## - ## n: The record containing notice data regarding the notice type - ## about to be suppressed. - global begin_suppression: event(n: Notice::Info); + ## ts: time indicating then when the notice to be suppressed occured. + ## + ## suppress_for: length of time that this notice should be suppressed. + ## + ## note: The :bro:type:`Notice::Type` of the notice. + ## + ## identifier: The identifier string of the notice that should be suppressed. + global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string); ## A function to determine if an event is supposed to be suppressed. ## @@ -504,7 +509,7 @@ hook Notice::notice(n: Notice::Info) &priority=-5 { local suppress_until = n$ts + n$suppress_for; suppressing[n$note, n$identifier] = suppress_until; - event Notice::begin_suppression(n); + event Notice::begin_suppression(n$ts, n$suppress_for, n$note, n$identifier); } } From a334247478574d130f748d27bbc40328a0415b8d Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 3 May 2017 22:06:24 -0700 Subject: [PATCH 232/288] SCT Validate: make caching a bit less aggressive. This triggers a re-validation of the SCT when the certificate validation status changed. This means that a SCT will show as valid if the certificate chain could be validated and can now be used to determine the correct issuer key hash. --- scripts/policy/protocols/ssl/validate-sct.bro | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index e28b89de88..385621afde 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -116,7 +116,10 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 local valid = F; local found_cache = F; - local validate_hash = sha1_hash(cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature)); + local validatestring = cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature,proof$source); + if ( proof$source == SCT_X509_EXT && c$ssl?$validation_code ) + validatestring = cat(validatestring, c$ssl$validation_code); + local validate_hash = sha1_hash(validatestring); if ( validate_hash in recently_validated_scts ) { valid = recently_validated_scts[validate_hash]; From ff2c5b93455285c759fd4c88b9bc89e652c8e3d5 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 5 May 2017 11:09:47 -0700 Subject: [PATCH 233/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index bedd721378..aadc6d37aa 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit bedd7213784b3f1d2ce10ce73b1a9cf9efdc848a +Subproject commit aadc6d37aa12b9ab50e9b63c5f1dcf4fa1e2a180 From 876f492a355222f8e70a295cb4ca6f444c53c12a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 2 May 2017 13:47:46 -0700 Subject: [PATCH 234/288] OCSP/TLS/SCT: Fix a number of test failures. These were caused by earlier code updates. This commit also removes the ocsp stapling logging script; it was defunctional and the information provided by it wnever really has been especially interesting. --- .../policy/protocols/ssl/ocsp-stapling.bro | 118 ------------------ scripts/test-all-policy.bro | 2 + .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 6 +- testing/btest/Baseline/plugins.hooks/output | 55 ++++++-- .../out | 8 +- .../intel-all.log | 16 +-- .../all-events-no-args.log | 2 + .../all-events.log | 106 +++++++++------- .../ocsp-stapling.log | 10 -- .../policy/protocols/ssl/ocsp-stapling.bro | 6 - 11 files changed, 122 insertions(+), 212 deletions(-) delete mode 100644 scripts/policy/protocols/ssl/ocsp-stapling.bro delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log delete mode 100644 testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro deleted file mode 100644 index 58e378ab65..0000000000 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ /dev/null @@ -1,118 +0,0 @@ -#! Log ocsp stapling information - -module OCSP_STAPLING; - -export { - redef enum Log::ID += { LOG }; - type Info: record { - ## timestamp - ts: time &log; - - ## status type - status_type: count &log; - - ## connection id - cid: conn_id &log; - - ## connection uid - cuid: string &log; - - ## size of this response - size: count &log; - - ## responseStatus - responseStatus: string &log; - - ## responseType - responseType: string &log; - - ## version - version: count &log; - - ## responderID - responderID: string &log; - - ## producedAt - producedAt: string &log; - - ## NOTE: the following are specific to one cert id - ## the above are for one message which may contain - ## several responses - - ## index - idx: count &log &optional; - - ## cert id - cert_id: OCSP::CertId &log &optional; - - ## certStatus (this is the response to look at) - certStatus: string &log &optional; - - ## thisUpdate - thisUpdate: string &log &optional; - - ## nextUpdate - nextUpdate: string &log &optional; - }; -} - -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) - { - local resp: OCSP::Response = ocsp_parse_response(response); - - # TOCHECK: is this right? - local resp_size: count =|response|; - - if (resp?$responses) - { - local num: count = 0; - for (x in resp$responses) - { - num += 1; - local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - - local resp_rec: Info = [$ts = network_time(), - $status_type = status_type, - $cid = c$id, - $cuid = c$uid, - $size = resp_size, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $idx = num, - $cert_id = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - - if (single_resp?$nextUpdate) - resp_rec$nextUpdate = single_resp$nextUpdate; - Log::write(LOG, resp_rec); - } - } - else - { - # no response content? this is weird but log it anyway - local resp_rec_empty: Info = [$ts = network_time(), - $status_type = status_type, - $cid = c$id, - $cuid = c$uid, - $size = resp_size, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt]; - Log::write(LOG, resp_rec_empty); - } - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]); - } diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a022060cd4..7c828241d0 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -34,6 +34,7 @@ @load frameworks/files/entropy-test-all-files.bro #@load frameworks/files/extract-all-files.bro @load frameworks/files/hash-all-files.bro +@load files/x509/log-ocsp.bro @load frameworks/packet-filter/shunt.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @@ -98,6 +99,7 @@ #@load protocols/ssl/notary.bro @load protocols/ssl/validate-certs.bro @load protocols/ssl/validate-ocsp.bro +@load protocols/ssl/validate-sct.bro @load protocols/ssl/weak-keys.bro @load tuning/__load__.bro @load tuning/defaults/__load__.bro diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index d53b14ce58..52a660261c 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2017-02-28-17-15-30 +#open 2017-05-02-20-38-47 #fields name #types string scripts/base/init-bare.bro @@ -157,6 +157,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_X509.events.bif.bro build/scripts/base/bif/plugins/Bro_X509.types.bif.bro build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro @@ -167,4 +168,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2017-02-28-17-15-30 +#close 2017-05-02-20-38-47 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index e11edefe16..75ef872a95 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2017-02-28-17-19-41 +#open 2017-05-02-20-39-05 #fields name #types string scripts/base/init-bare.bro @@ -157,6 +157,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_X509.events.bif.bro build/scripts/base/bif/plugins/Bro_X509.types.bif.bro build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro @@ -284,6 +285,7 @@ scripts/base/init-default.bro scripts/base/protocols/ssl/consts.bro scripts/base/protocols/ssl/main.bro scripts/base/protocols/ssl/mozilla-ca-list.bro + scripts/base/protocols/ssl/ct-list.bro scripts/base/protocols/ssl/files.bro scripts/base/files/x509/__load__.bro scripts/base/files/x509/main.bro @@ -355,4 +357,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2017-02-28-17-19-41 +#close 2017-05-02-20-39-05 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 420d20ae12..a4250da2ca 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -151,7 +151,16 @@ 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/pkix-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-user-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/pkix-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-user-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/pkix-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> @@ -247,7 +256,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +386,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -523,6 +532,7 @@ 0.000000 MetaHookPost LoadFile(./Bro_Unified2.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(./Bro_X509.ocsp_events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_XMPP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./acld) -> -1 @@ -542,6 +552,7 @@ 0.000000 MetaHookPost LoadFile(./consts) -> -1 0.000000 MetaHookPost LoadFile(./consts.bro) -> -1 0.000000 MetaHookPost LoadFile(./contents) -> -1 +0.000000 MetaHookPost LoadFile(./ct-list) -> -1 0.000000 MetaHookPost LoadFile(./data.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./dcc-send) -> -1 0.000000 MetaHookPost LoadFile(./debug) -> -1 @@ -868,7 +879,16 @@ 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/pkix-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-ca-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-user-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/pkix-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-user-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/pkix-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) @@ -964,7 +984,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1094,7 +1114,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1240,6 +1260,7 @@ 0.000000 MetaHookPre LoadFile(./Bro_Unified2.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.functions.bif.bro) +0.000000 MetaHookPre LoadFile(./Bro_X509.ocsp_events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_XMPP.events.bif.bro) 0.000000 MetaHookPre LoadFile(./acld) @@ -1259,6 +1280,7 @@ 0.000000 MetaHookPre LoadFile(./consts) 0.000000 MetaHookPre LoadFile(./consts.bro) 0.000000 MetaHookPre LoadFile(./contents) +0.000000 MetaHookPre LoadFile(./ct-list) 0.000000 MetaHookPre LoadFile(./data.bif.bro) 0.000000 MetaHookPre LoadFile(./dcc-send) 0.000000 MetaHookPre LoadFile(./debug) @@ -1584,7 +1606,16 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert) 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-user-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/pkix-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert) 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec}) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]) @@ -1680,7 +1711,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1810,7 +1841,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2195,7 +2226,7 @@ 1362692527.009775 MetaHookPost CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) -> 1362692527.009775 MetaHookPost CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> 1362692527.009775 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> +1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> 1362692527.009775 MetaHookPost CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692527.009775 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -2204,7 +2235,7 @@ 1362692527.009775 MetaHookPost CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009775 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost DrainEvents() -> -1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false +1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false 1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -2220,7 +2251,7 @@ 1362692527.009775 MetaHookPre CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) 1362692527.009775 MetaHookPre CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) 1362692527.009775 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) +1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) 1362692527.009775 MetaHookPre CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692527.009775 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -2229,7 +2260,7 @@ 1362692527.009775 MetaHookPre CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009775 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre DrainEvents() -1362692527.009775 MetaHookPre QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) +1362692527.009775 MetaHookPre QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) 1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -2246,7 +2277,7 @@ 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]) 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]) +1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]) 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -2255,7 +2286,7 @@ 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookDrainEvents -1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]) +1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]) 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out index d7c0aef00d..90e5e79ef0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out @@ -60,10 +60,8 @@ FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #4, 1406, 0 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp] -FILE_BOF_BUFFER -0\x82\x05z0\x82\x04b\xa0\x03\x02 MIME_TYPE -application/pkix-cert +application/x-x509-user-cert source: SSL MD5: 1bf9696d9f337805383427e88781d001 SHA1: f5ccb1a724133607548b00d8eb402efca3076d58 @@ -73,10 +71,8 @@ FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #5, 1092, 0 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp] -FILE_BOF_BUFFER -0\x82\x04@0\x82\x03(\xa0\x03\x02 MIME_TYPE -application/pkix-cert +application/x-x509-ca-cert source: SSL MD5: 48f0e38385112eeca5fc9ffd402eaecd SHA1: 8e8321ca08b08e3726fe1d82996884eeb5f0d655 diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log index 6bb3e47e60..25c032e488 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log @@ -3,23 +3,23 @@ #empty_field (empty) #unset_field - #path intel -#open 2016-08-05-13-22-37 +#open 2017-05-02-20-45-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -1416942644.593119 CHhAvVGS1DHFjwGM9 192.168.4.149 49422 23.92.19.75 443 www.pantz.org Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 Fi6J8q3lDJpbQWAnvi application/pkix-cert 23.92.19.75:443/tcp -#close 2016-08-05-13-22-37 +1416942644.593119 CHhAvVGS1DHFjwGM9 192.168.4.149 49422 23.92.19.75 443 www.pantz.org Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 Fi6J8q3lDJpbQWAnvi application/x-x509-user-cert 23.92.19.75:443/tcp +#close 2017-05-02-20-45-26 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path intel -#open 2016-08-05-13-22-37 +#open 2017-05-02-20-45-27 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -1170717505.735416 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FeCwNK3rzqPnZ7eBQ5 application/pkix-cert 194.127.84.106:443/tcp +1170717505.735416 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FeCwNK3rzqPnZ7eBQ5 application/x-x509-user-cert 194.127.84.106:443/tcp 1170717505.934612 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FeCwNK3rzqPnZ7eBQ5 - - -1170717508.883051 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FjkLnG4s34DVZlaBNc application/pkix-cert 194.127.84.106:443/tcp +1170717508.883051 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FjkLnG4s34DVZlaBNc application/x-x509-user-cert 194.127.84.106:443/tcp 1170717509.082241 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FjkLnG4s34DVZlaBNc - - -1170717511.909717 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FQXAWgI2FB5STbrff application/pkix-cert 194.127.84.106:443/tcp +1170717511.909717 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FQXAWgI2FB5STbrff application/x-x509-user-cert 194.127.84.106:443/tcp 1170717512.108799 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FQXAWgI2FB5STbrff - - -#close 2016-08-05-13-22-38 +#close 2017-05-02-20-45-27 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index 64cbb5f748..8cd2a5e56d 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -173,6 +173,7 @@ 1437831799.764576 file_new 1437831799.764576 file_over_new_connection 1437831799.764576 file_sniff +1437831799.764576 file_hash 1437831799.764576 x509_certificate 1437831799.764576 x509_extension 1437831799.764576 x509_extension @@ -190,6 +191,7 @@ 1437831799.764576 file_new 1437831799.764576 file_over_new_connection 1437831799.764576 file_sniff +1437831799.764576 file_hash 1437831799.764576 x509_certificate 1437831799.764576 x509_extension 1437831799.764576 x509_extension diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index a42b891e6a..70ed522a0d 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -315,7 +315,7 @@ 1254722770.692743 file_sniff [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T] 1254722770.692743 file_state_remove [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] @@ -359,7 +359,7 @@ 1254722770.692804 file_sniff [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a

\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T] 1254722770.692804 file_state_remove [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=T, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] @@ -415,7 +415,7 @@ 1254722771.494181 file_sniff [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a - Strip executable\x0d\x0a - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a compiler: -D__DEBUG__\x0d\x0a* Each project creates a _private.h file containing version\x0d\x0a information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T] 1254722771.858334 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -708,7 +708,7 @@ 1437831787.905375 file_sniff [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T] 1437831787.905375 file_state_remove [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] @@ -844,151 +844,161 @@ [2] is_orig: bool = F 1437831799.764576 file_sniff - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=, mime_types=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=, cert_chain_fuids=, client_cert_chain=, client_cert_chain_fuids=, subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] meta: fa_metadata = [mime_type=application/x-x509-user-cert, mime_types=, inferred=F] + +1437831799.764576 file_hash + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = sha1 + [2] hash: string = f5ccb1a724133607548b00d8eb402efca3076d58 1437831799.764576 x509_certificate - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] cert_ref: opaque of x509 = [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE] 1437831799.764576 x509_ext_basic_constraints - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::BasicConstraints = [ca=F, path_len=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com] 1437831799.764576 x509_ext_subject_alternative_name - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=, email=, ip=, other_fields=F] 1437831799.764576 file_hash - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] kind: string = sha1 - [2] hash: string = f5ccb1a724133607548b00d8eb402efca3076d58 + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = md5 + [2] hash: string = 1bf9696d9f337805383427e88781d001 1437831799.764576 file_state_remove - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_new - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_over_new_connection - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [2] is_orig: bool = F 1437831799.764576 file_sniff - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=, mime_types=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] meta: fa_metadata = [mime_type=application/x-x509-ca-cert, mime_types=, inferred=F] + +1437831799.764576 file_hash + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = sha1 + [2] hash: string = 8e8321ca08b08e3726fe1d82996884eeb5f0d655 1437831799.764576 x509_certificate - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] cert_ref: opaque of x509 = [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0] 1437831799.764576 x509_ext_basic_constraints - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::BasicConstraints = [ca=T, path_len=0] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a] 1437831799.764576 file_hash - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] kind: string = sha1 - [2] hash: string = 8e8321ca08b08e3726fe1d82996884eeb5f0d655 + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = md5 + [2] hash: string = 48f0e38385112eeca5fc9ffd402eaecd 1437831799.764576 file_state_remove - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg_type: count = 11 [3] length: count = 2507 1437831799.764576 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg_type: count = 14 [3] length: count = 0 1437831799.838196 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T [2] msg_type: count = 16 [3] length: count = 258 1437831799.838197 ssl_change_cipher_spec - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T 1437831800.045701 ssl_change_cipher_spec - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F 1437831800.045701 ssl_established - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 net_done [0] t: time = 1437831800.217854 @@ -1019,10 +1029,10 @@ [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_pending - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 bro_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log deleted file mode 100644 index c8d4c9d8e6..0000000000 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ocsp-stapling -#open 2015-07-08-21-19-54 -#fields ts status_type cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate -#types time count addr port addr port string count string string count string string count string string string string string string string -1398367809.961683 1 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z -#close 2015-07-08-21-19-54 diff --git a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro deleted file mode 100644 index 63b7e29e03..0000000000 --- a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ /dev/null @@ -1,6 +0,0 @@ -# This tests logging of ocsp stapling message - -# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT -# @TEST-EXEC: btest-diff ocsp-stapling.log - -@load protocols/ssl/ocsp-stapling From eb50b3fed1e55cdf8df8320d116cacade0ce2e02 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 11 May 2017 22:50:20 -0700 Subject: [PATCH 235/288] Change end-of-connection handling for validation Move from using CCS (before: established) to just doing certificate validation at the end of the connection. This is (again) more robust in the case of aborted connection. I am moving this into a hook because of the complexity of the end-of-connection handling for SSL. This should probably be extended to not just handle SSL validation, but all other logging constructs that are currently called in _established. --- scripts/base/protocols/ssl/main.bro | 14 ++++++++++++++ scripts/policy/protocols/ssl/validate-certs.bro | 11 +---------- scripts/policy/protocols/ssl/validate-sct.bro | 7 ++----- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index dbe5f2bccd..54ac8548ba 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -103,6 +103,9 @@ export { ## Event that can be handled to access the SSL ## record as it is sent on to the logging framework. global log_ssl: event(rec: Info); + + # do everything you want to do right before logging here + global ssl_finishing: hook(c: connection); } redef record connection += { @@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7 c$ssl$established = T; } +event ssl_established(c: connection) &priority=20 + { + hook ssl_finishing(c); + } + event ssl_established(c: connection) &priority=-5 { finish(c, T); } +event connection_state_remove(c: connection) &priority=20 + { + if ( c?$ssl && ! c$ssl$logged ) + hook ssl_finishing(c); + } + event connection_state_remove(c: connection) &priority=-5 { if ( c?$ssl ) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index c50da10380..c2f4e569a2 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result return result; } -# The server issues CCS only after sending the certificates. This should -# be more robust than using SSL_established, on the off chance that we don't -# get that event. -# -# This is not TLSv1.3 compatible - but we will not have certificates in -# that case in any way, so it even saves us a few cycles. -event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3 +hook ssl_finishing(c: connection) &priority=20 { - if ( is_orig ) - return; - # If there aren't any certs we can't very well do certificate validation. if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index 385621afde..bf7d8745bb 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); } -# Priority = 2 will be handled after validation is done -event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 +# Priority = 19 will be handled after validation is done +hook ssl_finishing(c: connection) &priority=19 { - if ( is_orig ) - return; - if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) return; From e1d42ec99ca0dcf79ddc3901a0a58af4fb39c6e0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sun, 14 May 2017 09:55:17 -0700 Subject: [PATCH 236/288] SCT validation: fix small memory leak (public keys were not freed) --- src/file_analysis/analyzer/x509/functions.bif | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 80fc3bb9af..478332aecf 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -695,12 +695,15 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len()); #endif EVP_MD_CTX_destroy(mdctx); + EVP_PKEY_free(key); return new Val(success, TYPE_BOOL); sct_verify_err: if (mdctx) EVP_MD_CTX_destroy(mdctx); + if (key) + EVP_PKEY_free(key); cerr << errstr << endl; reporter->Error("%s", errstr.c_str()); return new Val(0, TYPE_BOOL); From 7a1ec3501de5e345ceb4678cfbf60d63c9089a92 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sun, 14 May 2017 19:38:36 -0700 Subject: [PATCH 237/288] SCT: another memory leak in SCT parsing. --- src/file_analysis/analyzer/x509/X509Common.cc | 1 + src/file_analysis/analyzer/x509/functions.bif | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index 367b7e562a..dba593a3eb 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -213,6 +213,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); } + M_ASN1_OCTET_STRING_free(inner); OPENSSL_free(ext_val_second_pointer); interp->FlowEOF(); diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 478332aecf..8212835e2e 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -703,8 +703,8 @@ sct_verify_err: if (mdctx) EVP_MD_CTX_destroy(mdctx); if (key) - EVP_PKEY_free(key); - cerr << errstr << endl; + EVP_PKEY_free(key); + reporter->Error("%s", errstr.c_str()); return new Val(0, TYPE_BOOL); %} From 8af810e00b265f92556118a02f402a0746490e83 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sun, 14 May 2017 19:53:22 -0700 Subject: [PATCH 238/288] SCT: Fix script error when mime type of file unknown. --- scripts/base/protocols/ssl/files.bro | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index b440927381..8750645b36 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -96,6 +96,9 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 if ( |f$conns| != 1 ) return; + if ( ! f?$info || ! f$info?$mime_type ) + return; + if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert" || f$info$mime_type == "application/pkix-cert" ) ) return; From 9a75c52726b3eb776561e489f95393023904ac59 Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Thu, 18 May 2017 08:41:52 -0400 Subject: [PATCH 239/288] Add nfs unittest. Includes an example for the new nfs_proc_rename. --- .../scripts.base.protocols.nfs.basic/.stdout | 24 +++++++ testing/btest/Traces/nfs/nfs_base.pcap | Bin 0 -> 6794 bytes .../scripts/base/protocols/nfs/basic.test | 66 ++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout create mode 100644 testing/btest/Traces/nfs/nfs_base.pcap create mode 100755 testing/btest/scripts/base/protocols/nfs/basic.test diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout new file mode 100644 index 0000000000..58d51a773a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout @@ -0,0 +1,24 @@ +nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=425, state=3, num_pkts=5, num_bytes_ip=624, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=520, state=3, num_pkts=3, num_bytes_ip=516, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.972795, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.564809, req_dur=0.0, req_len=124, rep_start=1495059608.56485, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS +nfs_proc_create, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=581, state=3, num_pkts=6, num_bytes_ip=820, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=792, state=3, num_pkts=4, num_bytes_ip=680, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.97641, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.565064, req_dur=0.0, req_len=144, rep_start=1495059608.568465, rep_dur=0.0, rep_len=260, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile], [fh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\w\x1ew\x01]\xb6\x00=, obj_attr=[ftype=NFS3::FTYPE_REG, mode=32768, nlink=1, uid=1628, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=24583799, atime=2044592128.0, mtime=51501766.0, ctime=1495059608.558778], dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]] +nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=745, state=3, num_pkts=7, num_bytes_ip=1024, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=940, state=3, num_pkts=5, num_bytes_ip=992, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.982349, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.568646, req_dur=0.0, req_len=152, rep_start=1495059608.574404, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_SETATTR +nfs_proc_lookup, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1185, state=3, num_pkts=10, num_bytes_ip=1584, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1388, state=3, num_pkts=8, num_bytes_ip=1588, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.989157, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1495059608.581163, req_dur=0.0, req_len=136, rep_start=1495059608.581212, rep_dur=0.0, rep_len=108, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]] +nfs_proc_rename, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1377, state=3, num_pkts=11, num_bytes_ip=1816, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1652, state=3, num_pkts=9, num_bytes_ip=1748, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.991291, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.581412, req_dur=0.0, req_len=180, rep_start=1495059608.583346, rep_dur=0.0, rep_len=252, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [src_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, src_fname=testfile, dst_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, dst_fname=testfile2], [src_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778], dst_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778]] +nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1777, state=3, num_pkts=14, num_bytes_ip=2336, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2008, state=3, num_pkts=12, num_bytes_ip=2364, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.993098, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.585126, req_dur=0.0, req_len=124, rep_start=1495059608.585153, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS +nfs_proc_remove, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1925, state=3, num_pkts=16, num_bytes_ip=2564, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2156, state=3, num_pkts=13, num_bytes_ip=2528, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.813823, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.400145, req_dur=0.0, req_len=136, rep_start=1495059609.405878, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [dir_pre_attr=[size=0, atime=1495059608.574778, mtime=1495059608.574778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059609.398797, ctime=1495059609.398797]] +nfs_proc_rmdir, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=2057, state=3, num_pkts=18, num_bytes_ip=2776, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2304, state=3, num_pkts=14, num_bytes_ip=2716, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.818272, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.407676, req_dur=0.0, req_len=120, rep_start=1495059609.410327, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x00\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\, fname=test], [dir_pre_attr=[size=4096, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=44, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=128, atime=0.0, mtime=1495059609.402797, ctime=1495059609.402797]] diff --git a/testing/btest/Traces/nfs/nfs_base.pcap b/testing/btest/Traces/nfs/nfs_base.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1707107c83cbf8998dc026a14ca4bdd542dec621 GIT binary patch literal 6794 zcmc(kdr%cs9LLWtcv%b$4Y@b&O#>f1)DdaMVayz~0W!=X=`ot&;6M|MuK|4KAB3cq z&SY6LsAQI0<)WFxl%^7D0$q!-nWj-ALnFk;=$$MdiH7~Y=kDI_*}JUc2y|wCoZYi` ze|x^?^ZT8%d-&;S%_lMoW?FeTmNAJ=-feQs*r$ZD33Lo&nJ?9(@5kSz`3g&YoW)tM zrLYuB$ke_IR+f?V4{A~*k8|5HmpgiTX1F9Lyn@?M;OiLq8b`-4uNSXJ^2J!3{4;zx zR>KecDN;}q{E)xpnc?iTeJx|<spyCdxsG$>Bz*tnu&3r8S8jM9p zrj4~YLb!^hstWYjsGwbD?CHByj}m_nuAXW&V@nQy5ZO9rphLY-qWyk`qbbY2zvFqW zrgpC2!wrgAWZZy)kY{xqI*7w@L`HnJ<{zVRgnXT#23P=7xAi7`SzLy`h-pMQAB~Df zjG2a#&z@!)T%1=_?0t@O1tRnXDsNXPERA{s(=(Tn2HDSXF4o$gqb?1}~9b-OHX*M}qDz zp+k&{kjH2fihmwUtl-SA_}aVROV{5-FR8x2xZ$y| zc3P#rhO)wX)4BLIXZW?qaQhr$*hvhd4>fRQWmbXV>Xp<>yqiH0tT%E$3~DM!&7br@ zSOBLs`3&dOpySj@oGuZk3yyTI<||bVdTvzE-tGBBKEw16o0~ZL^#w)6^K<6qvBWWj zdBue}^NVH|=g-TVJ+Fv8mztF|DLpmozq>F3iyBPl@;jVom5%2nmwWgD;yEhyNj?JQ zHi4(_U7OxvdzPnPPHM6+4{*z&w|6MaJf*O2s1X*x_zU?gXM9a$Jp6#ixnmVEzT~iS zg=64R=7s$*&@y^!WUbu z^&igcbCKDORWA34G-5XHhg_~`{iDXrv^?yM91PXg-z1URgQ4Bt@vzBB?D*0d{ZBJ~ueXDB7gtr!LSVjaUe zV%SU!J&p|+1u0k^1^6&3zIL8Be%~teV_fTsZ=~Lt+51b(Cb1}q?^c3JQ8n9{AcRn0DUY$L@~%D$OArb_I_F@=$W^>|D{$#hauO%H?Vyyuopv}%7+a_+L9dNUw{u6&ubMKjG0vb?%xhP+%N;i!3_e=s zW#IUq7-(xGl!RR|WzfbM=)OJU#uI~9V(^#7KvmKe18VQaHIQ--J>O0}uOs5HfIQek z!%Wd**{5UBN(^>`!R9HPLD^%*41&og)bv;$Xbk8XqoL*qsi~n8SU@gR%IBcQepk$e zxZNISHGK)O>)IZGs>Xx^RCO;4>Tf?NIQW*?uCYyqf{=+KkLm)KJ3fK-22<=WKsd@q z@-@J25x$m$b+gtM#M$ch2323gwtfv~yMC}STf8M}Y-xY_f%bdvYb}Jb#bZTfOY^<4 z%lE@;<#x`wUE~~}K%D7oiQUw`165^aoH3OA``%#9>S|8J4!2ND*20a}hWNK>-QzWs z1tnQb_J(c2oc{zJ|4!mxNBlFQqO}LZ*NS9|$r@+t!};rSyV~o^CS}}y!#lqYG3MWo zp446ZyV~#Pd&5w2a Date: Mon, 22 May 2017 14:32:59 -0500 Subject: [PATCH 240/288] Fix a race condition in some failing tests The tests that were using the broccoli-v6addrs test program would sometimes fail because broccoli-v6addrs would try to connect to Bro and fail (presumably because Bro hadn't yet fully initialized). Fixed by using the new broccoli-v6addrs "-r" option which will retry upon failure to connect to Bro. --- testing/btest/istate/broccoli-ipv6-socket.bro | 3 +-- testing/btest/istate/broccoli-ipv6.bro | 3 +-- testing/btest/istate/broccoli-ssl.bro | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro index 7365999bb0..0c8f1392cb 100644 --- a/testing/btest/istate/broccoli-ipv6-socket.bro +++ b/testing/btest/istate/broccoli-ipv6-socket.bro @@ -4,8 +4,7 @@ # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1" # # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T" -# @TEST-EXEC: sleep 3 -# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1 +# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r -6 ::1 # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro index b4fdfb5fcf..8d56ef196f 100644 --- a/testing/btest/istate/broccoli-ipv6.bro +++ b/testing/btest/istate/broccoli-ipv6.bro @@ -3,8 +3,7 @@ # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro -# @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs +# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro index 13b17a0b7b..ba510bf595 100644 --- a/testing/btest/istate/broccoli-ssl.bro +++ b/testing/btest/istate/broccoli-ssl.bro @@ -4,8 +4,7 @@ # # @TEST-EXEC: chmod 600 broccoli.conf # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem" -# @TEST-EXEC: sleep 5 -# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs +# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -r # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout From 34551dda155114c2ac989a3b301f55e9e328fb10 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 24 May 2017 13:10:26 -0500 Subject: [PATCH 241/288] The broccoli-v6addrs "-r" option was renamed to "-R" --- testing/btest/istate/broccoli-ipv6-socket.bro | 2 +- testing/btest/istate/broccoli-ipv6.bro | 2 +- testing/btest/istate/broccoli-ssl.bro | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro index 0c8f1392cb..27df984471 100644 --- a/testing/btest/istate/broccoli-ipv6-socket.bro +++ b/testing/btest/istate/broccoli-ipv6-socket.bro @@ -4,7 +4,7 @@ # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1" # # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T" -# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r -6 ::1 +# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R -6 ::1 # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro index 8d56ef196f..0e360df713 100644 --- a/testing/btest/istate/broccoli-ipv6.bro +++ b/testing/btest/istate/broccoli-ipv6.bro @@ -3,7 +3,7 @@ # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro -# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r +# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro index ba510bf595..fce5ed8535 100644 --- a/testing/btest/istate/broccoli-ssl.bro +++ b/testing/btest/istate/broccoli-ssl.bro @@ -4,7 +4,7 @@ # # @TEST-EXEC: chmod 600 broccoli.conf # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem" -# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -r +# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -R # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout From 961c247777261def79b3917d02ebb381f1712fb3 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 24 May 2017 13:13:20 -0500 Subject: [PATCH 242/288] Fix a race condition in some failing tests Use the new "-R" option for broccoli-vectors and broping so that they will retry connecting to Bro until the connection is established. This avoids a race condition and eliminates the need for a "sleep" after starting Bro. --- testing/btest/istate/broccoli-vector.bro | 3 +-- testing/btest/istate/broccoli.bro | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/testing/btest/istate/broccoli-vector.bro b/testing/btest/istate/broccoli-vector.bro index ce107f45d3..cf0b0c8642 100644 --- a/testing/btest/istate/broccoli-vector.bro +++ b/testing/btest/istate/broccoli-vector.bro @@ -3,8 +3,7 @@ # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-vectors.bro -# @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors +# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors -R # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: btest-diff broccoli/.stdout diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro index 2fdd4cbda4..a6427412bf 100644 --- a/testing/btest/istate/broccoli.bro +++ b/testing/btest/istate/broccoli.bro @@ -3,8 +3,7 @@ # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro -# @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1 +# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -R -r -c 3 127.0.0.1 # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log # @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log From bd2d559fbf52a8243219a1de9856b685a9cb893a Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 24 May 2017 14:29:24 -0500 Subject: [PATCH 243/288] Fix race condition causing some tests to fail Removed loading of the "frameworks/communication/listen" script for a couple of tests that don't need this functionality. This was causing failures of some broccoli-related tests in the "istate" test directory due to two instances of Bro trying to listen on the same port. --- .../Baseline/language.expire-expr-error/output | 2 +- testing/btest/language/expire-expr-error.bro | 14 ++++++-------- testing/btest/language/expire-redef.bro | 2 -- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output index 544527fe23..cf43dd4c80 100644 --- a/testing/btest/Baseline/language.expire-expr-error/output +++ b/testing/btest/Baseline/language.expire-expr-error/output @@ -1,2 +1,2 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 7: no such index (x[kaputt]) +error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 8: no such index (x[kaputt]) received termination signal diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.bro index c355bd58ed..7c9a3aa318 100644 --- a/testing/btest/language/expire-expr-error.bro +++ b/testing/btest/language/expire-expr-error.bro @@ -1,13 +1,12 @@ -# @TEST-EXEC: btest-bg-run broproc bro %INPUT -# @TEST-EXEC: btest-bg-wait -k 5 -# @TEST-EXEC: cat broproc/.stderr > output +# @TEST-EXEC: bro -b %INPUT +# @TEST-EXEC: cp .stderr output # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output +redef exit_only_after_terminate = T; + global x: table[string] of interval; global data: table[int] of string &create_expire=x["kaputt"]; -@load frameworks/communication/listen - global runs = 0; event do_it() { @@ -16,6 +15,8 @@ event do_it() ++runs; if ( runs < 4 ) schedule 1sec { do_it() }; + else + terminate(); } @@ -24,6 +25,3 @@ event bro_init() &priority=-10 data[0] = "some data"; schedule 1sec { do_it() }; } - - - diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro index f08ac8d3f2..6bf43ae98a 100644 --- a/testing/btest/language/expire-redef.bro +++ b/testing/btest/language/expire-redef.bro @@ -3,8 +3,6 @@ redef exit_only_after_terminate = T; -@load frameworks/communication/listen - const exp_val = -1sec &redef; global expired: function(tbl: table[int] of string, idx: int): interval; From 361a5dc2d8eb27e1f6b88f7fe4fbbae5c4a2e62a Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 24 May 2017 21:25:01 -0500 Subject: [PATCH 244/288] Serialize tests that load listen.bro Tests that load "frameworks/communication/listen" must be serialized to prevent other tests failing due to multiple Bro instances trying to listen on the same port. --- testing/btest/doc/broxygen/identifier.bro | 1 + testing/btest/doc/broxygen/package.bro | 1 + testing/btest/doc/broxygen/package_index.bro | 1 + testing/btest/doc/broxygen/script_index.bro | 1 + testing/btest/doc/broxygen/script_summary.bro | 1 + 5 files changed, 5 insertions(+) diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro index 3768b0c0c6..db5c2528ee 100644 --- a/testing/btest/doc/broxygen/identifier.bro +++ b/testing/btest/doc/broxygen/identifier.bro @@ -1,3 +1,4 @@ +# @TEST-SERIALIZE: comm # @TEST-EXEC: bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro index 6857d5e646..fd75a1ce21 100644 --- a/testing/btest/doc/broxygen/package.bro +++ b/testing/btest/doc/broxygen/package.bro @@ -1,3 +1,4 @@ +# @TEST-SERIALIZE: comm # @TEST-EXEC: bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro index e29479d49f..ef6cc4ab29 100644 --- a/testing/btest/doc/broxygen/package_index.bro +++ b/testing/btest/doc/broxygen/package_index.bro @@ -1,3 +1,4 @@ +# @TEST-SERIALIZE: comm # @TEST-EXEC: bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro index 91bb4b756f..86e1909863 100644 --- a/testing/btest/doc/broxygen/script_index.bro +++ b/testing/btest/doc/broxygen/script_index.bro @@ -1,3 +1,4 @@ +# @TEST-SERIALIZE: comm # @TEST-EXEC: bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro index 9d3cda012b..a7aafc65a0 100644 --- a/testing/btest/doc/broxygen/script_summary.bro +++ b/testing/btest/doc/broxygen/script_summary.bro @@ -1,3 +1,4 @@ +# @TEST-SERIALIZE: comm # @TEST-EXEC: bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst From e9102f3de4d261eba3a7d9a54b4f673c73989beb Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 24 May 2017 21:28:56 -0500 Subject: [PATCH 245/288] Remove loading of listen.bro in tests that do not need it Removed the loading of "frameworks/communication/listen" from some tests that don't need that functionality. This is to avoid serializing these tests. --- testing/btest/scripts/base/frameworks/intel/expire-item.bro | 5 ++++- testing/btest/scripts/base/frameworks/intel/match-subnet.bro | 2 +- .../scripts/base/frameworks/intel/remove-non-existing.bro | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro index dd915b3a03..690a461ea4 100644 --- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro +++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro @@ -9,9 +9,10 @@ 1.2.3.4 Intel::ADDR source1 this host is bad http://some-data-distributor.com/1 # @TEST-END-FILE -@load frameworks/communication/listen @load frameworks/intel/do_expire +redef exit_only_after_terminate = T; + redef Intel::read_files += { "../intel.dat" }; redef enum Intel::Where += { SOMEWHERE }; redef Intel::item_expiration = 9sec; @@ -44,6 +45,8 @@ event do_it() if ( runs < 6 ) schedule 3sec { do_it() }; + else + terminate(); } event Intel::match(s: Intel::Seen, items: set[Intel::Item]) diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro index 1e25868de1..8e3fe74116 100644 --- a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro +++ b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro @@ -14,7 +14,7 @@ 192.168.128.0/18 Intel::SUBNET source1 this subnetwork might be baaad http://some-data-distributor.com/5 # @TEST-END-FILE -@load frameworks/communication/listen +redef exit_only_after_terminate = T; redef Intel::read_files += { "../intel.dat" }; redef enum Intel::Where += { SOMEWHERE }; diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro index 379d132834..1885f5bcf8 100644 --- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro +++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro @@ -9,7 +9,7 @@ 192.168.1.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1 # @TEST-END-FILE -@load frameworks/communication/listen +redef exit_only_after_terminate = T; redef Intel::read_files += { "../intel.dat" }; redef enum Intel::Where += { SOMEWHERE }; From 23d93a321332f0ad6960028b6fb4e79f2b7a2e3d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 25 May 2017 18:39:31 -0500 Subject: [PATCH 246/288] Updating submodule(s). [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/btest | 2 +- aux/plugins | 2 +- cmake | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/aux/binpac b/aux/binpac index 0f1ecfa972..dddc652ca5 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd +Subproject commit dddc652ca58494d45325db230af3bd1ad985d75a diff --git a/aux/bro-aux b/aux/bro-aux index 51bf79d3fc..96c685beab 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 51bf79d3fc78b5e86c554afe7c24c44b025aa67f +Subproject commit 96c685beab556ff22976edc7457fe83b099a5c95 diff --git a/aux/broccoli b/aux/broccoli index ed52e3414b..ab3bea3859 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441 +Subproject commit ab3bea38593341607e129f85685908ba41ab1d58 diff --git a/aux/broctl b/aux/broctl index aadc6d37aa..40185aa916 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit aadc6d37aa12b9ab50e9b63c5f1dcf4fa1e2a180 +Subproject commit 40185aa91647b3b9ac4a554e393ade3c78fe31b5 diff --git a/aux/broker b/aux/broker index 23def70c44..ff067419c4 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 23def70c44128d19138029615dd154359286e111 +Subproject commit ff067419c4f973d3d044bfea3450bd517d801c9f diff --git a/aux/btest b/aux/btest index 54b92381c1..32d6614502 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 54b92381c1c133376c2c85eeb53b32b068f51067 +Subproject commit 32d66145027c8da54a38ebdcc33d32881a2d041d diff --git a/aux/plugins b/aux/plugins index 5724f8edcc..f22a6636c8 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 5724f8edcc2b323062715dac8eec4affe1f96696 +Subproject commit f22a6636c8b40bec7de3695821ad8ca7489e9223 diff --git a/cmake b/cmake index d29fbf6152..fbb347b3ac 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit d29fbf6152e54fbb536910af02a80874b1917311 +Subproject commit fbb347b3ac09a78c227bb00e3971bf9888f2be55 From 368a50ed6de25bd973d51ab622463bac1f2b9c92 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 26 May 2017 08:29:12 -0500 Subject: [PATCH 247/288] Updating submodule(s). [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- cmake | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aux/binpac b/aux/binpac index dddc652ca5..b44734a02f 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit dddc652ca58494d45325db230af3bd1ad985d75a +Subproject commit b44734a02f8ab050d43bac3148f35079608081f1 diff --git a/aux/bro-aux b/aux/bro-aux index 96c685beab..eef5ddea2f 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 96c685beab556ff22976edc7457fe83b099a5c95 +Subproject commit eef5ddea2f8e928418d0e65ff0b3c3b0d039d7a7 diff --git a/aux/broccoli b/aux/broccoli index ab3bea3859..6a8464ff42 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit ab3bea38593341607e129f85685908ba41ab1d58 +Subproject commit 6a8464ff42fbfb5e060102d74f1467cadd645061 diff --git a/aux/broctl b/aux/broctl index 40185aa916..a37ddbcf0b 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 40185aa91647b3b9ac4a554e393ade3c78fe31b5 +Subproject commit a37ddbcf0b5f73a9289d421514a48b7fc8862d2f diff --git a/aux/broker b/aux/broker index ff067419c4..4a851db8a3 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit ff067419c4f973d3d044bfea3450bd517d801c9f +Subproject commit 4a851db8a3c51f74827dd7488305dccf6dcd34a7 diff --git a/cmake b/cmake index fbb347b3ac..79f2b2e944 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit fbb347b3ac09a78c227bb00e3971bf9888f2be55 +Subproject commit 79f2b2e944da77774675be4d5254156451967371 From 1ad5b12ef8fd13846574054e9fc212578131c3af Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 5 Jun 2017 14:41:03 -0700 Subject: [PATCH 248/288] Fix at_least in Version.bro. at_least did extactly the opposite from what it said. --- scripts/base/misc/version.bro | 2 +- testing/btest/scripts/base/misc/version.bro | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.bro index 259b7b1127..1dce1310df 100644 --- a/scripts/base/misc/version.bro +++ b/scripts/base/misc/version.bro @@ -86,5 +86,5 @@ export { function at_least(version_string: string): bool { - return Version::parse(version_string)$version_number >= Version::number; + return Version::number >= Version::parse(version_string)$version_number; } diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.bro index cd19f0ee30..238003f10d 100644 --- a/testing/btest/scripts/base/misc/version.bro +++ b/testing/btest/scripts/base/misc/version.bro @@ -36,6 +36,6 @@ print "yup"; print "yup"; @endif -@if ( Version::at_least("2.4") ) +@if ( Version::at_least("2.9") ) print "no"; @endif From f5d9f1847f514e23da19b216775f4089f9a2bf07 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 5 Jun 2017 14:41:38 -0700 Subject: [PATCH 249/288] Remove non-existing links; this broke documentation build. --- doc/components/bro-plugins/af_packet/README.rst | 1 - doc/components/bro-plugins/postgresql/README.rst | 1 - doc/components/bro-plugins/tcprs/README.rst | 1 - 3 files changed, 3 deletions(-) delete mode 120000 doc/components/bro-plugins/af_packet/README.rst delete mode 120000 doc/components/bro-plugins/postgresql/README.rst delete mode 120000 doc/components/bro-plugins/tcprs/README.rst diff --git a/doc/components/bro-plugins/af_packet/README.rst b/doc/components/bro-plugins/af_packet/README.rst deleted file mode 120000 index b8f745bed2..0000000000 --- a/doc/components/bro-plugins/af_packet/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/af_packet/README \ No newline at end of file diff --git a/doc/components/bro-plugins/postgresql/README.rst b/doc/components/bro-plugins/postgresql/README.rst deleted file mode 120000 index b8c815c45b..0000000000 --- a/doc/components/bro-plugins/postgresql/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/postgresql/README \ No newline at end of file diff --git a/doc/components/bro-plugins/tcprs/README.rst b/doc/components/bro-plugins/tcprs/README.rst deleted file mode 120000 index c0e84fd579..0000000000 --- a/doc/components/bro-plugins/tcprs/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/tcprs/README \ No newline at end of file From 046f3686222fc24f691554977379ca4eb3860622 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 5 Jun 2017 15:16:49 -0700 Subject: [PATCH 250/288] Update version and submodules. --- CHANGES | 7 +++++++ VERSION | 2 +- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/btest | 2 +- aux/plugins | 2 +- 9 files changed, 15 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index da80c4ca99..188e22466b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.5-152 | 2017-06-05 15:16:49 -0700 + + * Remove non-existing links; this broke documentation build. (Johanna Amann) + + * Fix at_least in Version.bro - it did exactly the oposite of the documented + behavior. (Johanna Amann) + 2.5-147 | 2017-05-22 20:32:32 -0500 * Add nfs unittest. (Julien Wallior) diff --git a/VERSION b/VERSION index 1babd71178..3916e2d327 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-147 +2.5-152 diff --git a/aux/binpac b/aux/binpac index b44734a02f..27356ae52f 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit b44734a02f8ab050d43bac3148f35079608081f1 +Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704 diff --git a/aux/bro-aux b/aux/bro-aux index eef5ddea2f..8c2366edfc 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit eef5ddea2f8e928418d0e65ff0b3c3b0d039d7a7 +Subproject commit 8c2366edfca18b6a6f4ec3c7be372ef1167f58bb diff --git a/aux/broccoli b/aux/broccoli index 6a8464ff42..1f22ba3716 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 6a8464ff42fbfb5e060102d74f1467cadd645061 +Subproject commit 1f22ba3716b2778ddaba3f73437a6126875d3278 diff --git a/aux/broctl b/aux/broctl index a37ddbcf0b..84ac6aff36 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit a37ddbcf0b5f73a9289d421514a48b7fc8862d2f +Subproject commit 84ac6aff368ed166a0c6f7f11b2749f4356bfd78 diff --git a/aux/broker b/aux/broker index 4a851db8a3..862c982f35 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 4a851db8a3c51f74827dd7488305dccf6dcd34a7 +Subproject commit 862c982f35e342fb10fa281120135cf61eca66bb diff --git a/aux/btest b/aux/btest index 32d6614502..e638fc65aa 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 32d66145027c8da54a38ebdcc33d32881a2d041d +Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a diff --git a/aux/plugins b/aux/plugins index f22a6636c8..ee7429eb04 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit f22a6636c8b40bec7de3695821ad8ca7489e9223 +Subproject commit ee7429eb042806cb814dc910a0e59b641012e1fe From a69f5adc6480b572d185a0840d1a94d327cf0a74 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 6 Jun 2017 13:17:23 -0700 Subject: [PATCH 251/288] Update submodules [nomail] --- aux/bro-aux | 2 +- aux/broctl | 2 +- aux/plugins | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index 8c2366edfc..43f4b90bba 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 8c2366edfca18b6a6f4ec3c7be372ef1167f58bb +Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011 diff --git a/aux/broctl b/aux/broctl index 84ac6aff36..520fbc6060 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 84ac6aff368ed166a0c6f7f11b2749f4356bfd78 +Subproject commit 520fbc60602d08298ba5c14046c342e44592c44c diff --git a/aux/plugins b/aux/plugins index ee7429eb04..d96471bcec 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit ee7429eb042806cb814dc910a0e59b641012e1fe +Subproject commit d96471bcec84b45d3578ec2bacaa9b3e824838e7 From 7e651c252c6d8c1db92851d707118c4490be6d27 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 13 Jun 2017 10:59:38 -0700 Subject: [PATCH 252/288] Update submodule [nomail] --- aux/plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/plugins b/aux/plugins index d96471bcec..00d039442b 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit d96471bcec84b45d3578ec2bacaa9b3e824838e7 +Subproject commit 00d039442b97ba545e6020200d96a3cba9d9181b From 303c50e86762ccc261c8ab4d26429f22f7532d7c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 13 Jun 2017 11:01:24 -0700 Subject: [PATCH 253/288] Remove link to no longer existing myricom plugin. --- doc/components/bro-plugins/myricom/README.rst | 1 - 1 file changed, 1 deletion(-) delete mode 120000 doc/components/bro-plugins/myricom/README.rst diff --git a/doc/components/bro-plugins/myricom/README.rst b/doc/components/bro-plugins/myricom/README.rst deleted file mode 120000 index 3bfabcdae3..0000000000 --- a/doc/components/bro-plugins/myricom/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/myricom/README \ No newline at end of file From 251ed3a4d9c0e1e76c9f8c01a427d6f7b96225d0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 13 Jun 2017 11:01:56 -0700 Subject: [PATCH 254/288] Add 2.5.1 news file to master. --- CHANGES | 8 +++++++- NEWS | 45 +++++++++++++++++++++++++++++++++++++++++---- VERSION | 2 +- 3 files changed, 49 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 188e22466b..5fffea3198 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,16 @@ +2.5-156 | 2017-06-13 11:01:56 -0700 + + * Add 2.5.1 news file to master. (Johanna Amann) + + * Remove link to no longer existing myricom plugin. (Johanna Amann) + 2.5-152 | 2017-06-05 15:16:49 -0700 * Remove non-existing links; this broke documentation build. (Johanna Amann) * Fix at_least in Version.bro - it did exactly the oposite of the documented - behavior. (Johanna Amann) + behavior. (Johanna Amann) 2.5-147 | 2017-05-22 20:32:32 -0500 diff --git a/NEWS b/NEWS index 7fbc7cfd4f..8333ccf7f8 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,35 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as BroControl and Broccoli, come with their own ``CHANGES``.) -Bro 2.6 -======= +Bro 2.5.1 +========= + +New Functionality +----------------- + +- Bro now includes bifs for rename, unlink, and rmdir. + +- Bro now includes events for two extensions used by TLS 1.3: + ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes + +- Bro now includes hooks that can be used to interact with log processing + on the C++ level. + +- Bro now supports ERSPAN. Currently this ignores the ethernet header that is + carried over the tunnel; if a MAC is logged currently only the outer MAC + is returned. + +- Added a new BroControl option CrashExpireInterval to enable + "broctl cron" to remove crash directories that are older than the + specified number of days (the default value is 0, which means crash + directories never expire). + +- Added a new BroControl option MailReceivingPackets to control + whether or not "broctl cron" will mail a warning when it notices + that no packets were seen on an interface. + +- There is a new broctl command-line option "--version" which outputs + the BroControl version. Changed Functionality --------------------- @@ -13,10 +40,20 @@ Changed Functionality - The input framework's Ascii reader is now more resilient. If an input is marked to reread a file when it changes and the file didn't exist during a check Bro would stop watching the file in previous versions. - The same could happen with bad data in a line of a file. These - situations do not cause Bro to stop watching input files anymore. The + The same could happen with bad data in a line of a file. These + situations do not cause Bro to stop watching input files anymore. The old behavior is available through settings in the Ascii reader. +- The RADIUS scripts have been reworked. Requests are now logged even if + there is no response. The new framed_addr field in the log indicates + if the radius server is hinting at an address for the client. The ttl + field indicates how quickly the server is replying to the network access + server. + +- With the introduction of the Bro package manager, the Bro plugin repository + is considered deprecated. The af_packet, postgresql, and tcprs plugins have + already been removed and are available via bro-pkg. + Bro 2.5 ======= diff --git a/VERSION b/VERSION index 3916e2d327..6d510ac694 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-152 +2.5-156 From 81af7887312b788e5be0b369b9122b275ca79322 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 14 Jun 2017 07:27:22 -0700 Subject: [PATCH 255/288] Updating submodule(s). [nomail] --- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index 43f4b90bba..2c197c72c5 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011 +Subproject commit 2c197c72c53aca61a2d9c501795c185c2be6b4dd diff --git a/aux/broccoli b/aux/broccoli index 1f22ba3716..c3c44cbcaa 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 1f22ba3716b2778ddaba3f73437a6126875d3278 +Subproject commit c3c44cbcaaab4c1b544672940d8403f30730af37 diff --git a/aux/broctl b/aux/broctl index 520fbc6060..d3e6cdfba4 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 520fbc60602d08298ba5c14046c342e44592c44c +Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723 From ff4caaf50a0760e48269a53d1e70eb80aefd7ca4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 14 Jun 2017 07:32:34 -0700 Subject: [PATCH 256/288] Updating submodule(s). [nomail] --- aux/bro-aux | 2 +- aux/broccoli | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index 2c197c72c5..43f4b90bba 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 2c197c72c53aca61a2d9c501795c185c2be6b4dd +Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011 diff --git a/aux/broccoli b/aux/broccoli index c3c44cbcaa..25907f6b0a 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit c3c44cbcaaab4c1b544672940d8403f30730af37 +Subproject commit 25907f6b0a5347304d1ec8213bfad3d114260ca0 From b527a9870da02e053e08803083f271b6f5eb28c1 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 27 Jun 2017 14:54:48 -0700 Subject: [PATCH 257/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index d3e6cdfba4..6682931a58 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723 +Subproject commit 6682931a58a652d52bb166caaf59bf875d43403e From a51047ec6d8c6ae55612557b96b0f7b252576f3c Mon Sep 17 00:00:00 2001 From: balintm Date: Tue, 4 Jul 2017 10:42:18 +0100 Subject: [PATCH 258/288] padding comes before flags I am not able to find it in RFC, but all of the pcaps I came across (https://wiki.wireshark.org/SampleCaptures) contain padding in-front of flags. --- src/analyzer/protocol/krb/krb-protocol.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac index a237f6b0fa..0b336b3024 100644 --- a/src/analyzer/protocol/krb/krb-protocol.pac +++ b/src/analyzer/protocol/krb/krb-protocol.pac @@ -136,8 +136,8 @@ type KRB_AP_REQ(is_orig: bool) = record { type KRB_AP_Options = record { meta : SequenceElement(false); + : padding[meta.meta.length - 4]; flags : uint32; - : padding[1]; } &let { reserved : bool = (flags & 0x80000000) > 0; use_session_key : bool = (flags & 0x40000000) > 0; From cc90b24b1d35bd9aa0735e27b93a0f1143c77bfc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 6 Jul 2017 11:13:24 -0700 Subject: [PATCH 259/288] Add new cipher suites from draft-ietf-tls-ecdhe-psk-aead-05 --- scripts/base/protocols/ssl/consts.bro | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 9d9460906a..b95d299dca 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -600,6 +600,11 @@ export { const TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC; const TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD; const TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE; + # draft-ietf-tls-ecdhe-psk-aead-05 + const TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001; + const TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = 0xD002; + const TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003; + const TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD004; const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF; @@ -978,6 +983,10 @@ export { [TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", [TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", [TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", + [TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256", + [TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384", + [TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", + [TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256", [SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA", [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", [SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2", From 83ebdb65a90695e32fd472157613704b62eeae5a Mon Sep 17 00:00:00 2001 From: balintm Date: Fri, 7 Jul 2017 11:31:58 +0100 Subject: [PATCH 260/288] Update krb-protocol.pac --- src/analyzer/protocol/krb/krb-protocol.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac index 0b336b3024..8f68bebe0d 100644 --- a/src/analyzer/protocol/krb/krb-protocol.pac +++ b/src/analyzer/protocol/krb/krb-protocol.pac @@ -136,7 +136,7 @@ type KRB_AP_REQ(is_orig: bool) = record { type KRB_AP_Options = record { meta : SequenceElement(false); - : padding[meta.meta.length - 4]; + : padding[1]; flags : uint32; } &let { reserved : bool = (flags & 0x80000000) > 0; From d7e9060f96da2458abb54fb65b36a13f06e847b1 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 7 Jul 2017 14:05:14 -0500 Subject: [PATCH 261/288] Update install instructions for Debian 9 --- doc/install/install.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/install/install.rst b/doc/install/install.rst index 35a38da27b..e7ff45b4fe 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -60,6 +60,9 @@ To install the required dependencies, you can use: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev + In order to build Bro on Debian 9, install ``libssl1.0-dev`` instead + of ``libssl-dev``. + * FreeBSD: Most required dependencies should come with a minimal FreeBSD install From c76fc7107751d4e477a852ca5cdd15f4086fc691 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jul 2017 12:41:27 -0700 Subject: [PATCH 262/288] Updating submodule. --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 6682931a58..5e0abd85c3 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 6682931a58a652d52bb166caaf59bf875d43403e +Subproject commit 5e0abd85c33ae412d818ebae7d0a2db1033ba7e4 From 94192989e78400b2f6912f7235090ec62bc42785 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jul 2017 13:48:15 -0700 Subject: [PATCH 263/288] Removing aux/plugins. Most of the plugins are now Bro packages. --- CHANGES | 7 +++++++ NEWS | 13 +++++++++++++ VERSION | 2 +- aux/plugins | 1 - 4 files changed, 21 insertions(+), 2 deletions(-) delete mode 160000 aux/plugins diff --git a/CHANGES b/CHANGES index 0b28edd582..786faa0070 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.5-174 | 2017-07-07 12:56:23 -0700 + + * Removing aux/plugins. Most of the plugins are now Bro packages. + (Robin Sommer) + + * Update install instructions for Debian 9. (Daniel Thayer) + 2.5-170 | 2017-07-07 12:20:19 -0700 * Update krb-protocol.pac (balintm) diff --git a/NEWS b/NEWS index 8333ccf7f8..a884f4fe5a 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,19 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as BroControl and Broccoli, come with their own ``CHANGES``.) + +Bro 2.6 (in progress) +===================== + +Removed Functionality +--------------------- + +- We no longer maintain any Bro plugins as part of the Bro + distribution. Most of the plugins that used be in aux/plugins have + been moved over to use the Bro Package Manager instead. See + https://github.com/bro/packages for a list of Bro packages currently + available. + Bro 2.5.1 ========= diff --git a/VERSION b/VERSION index f12955e154..1c98aeab0b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-170 +2.5-174 diff --git a/aux/plugins b/aux/plugins deleted file mode 160000 index 00d039442b..0000000000 --- a/aux/plugins +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 00d039442b97ba545e6020200d96a3cba9d9181b From ffa7480ce4ad9621ef6eaec7e3e02f5a44e05485 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jul 2017 14:34:41 -0700 Subject: [PATCH 264/288] Fix documentation build. (I had these locally, but not yet commited.) --- CHANGES | 2 +- VERSION | 2 +- doc/components/bro-plugins/README.rst | 1 - doc/components/bro-plugins/elasticsearch/README.rst | 1 - doc/components/bro-plugins/kafka/README.rst | 1 - doc/components/bro-plugins/netmap/README.rst | 1 - doc/components/bro-plugins/pf_ring/README.rst | 1 - doc/components/bro-plugins/redis/README.rst | 1 - doc/frameworks/logging.rst | 9 ++------- 9 files changed, 4 insertions(+), 15 deletions(-) delete mode 120000 doc/components/bro-plugins/README.rst delete mode 120000 doc/components/bro-plugins/elasticsearch/README.rst delete mode 120000 doc/components/bro-plugins/kafka/README.rst delete mode 120000 doc/components/bro-plugins/netmap/README.rst delete mode 120000 doc/components/bro-plugins/pf_ring/README.rst delete mode 120000 doc/components/bro-plugins/redis/README.rst diff --git a/CHANGES b/CHANGES index 786faa0070..a83787e209 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ -2.5-174 | 2017-07-07 12:56:23 -0700 +2.5-175 | 2017-07-07 14:35:11 -0700 * Removing aux/plugins. Most of the plugins are now Bro packages. (Robin Sommer) diff --git a/VERSION b/VERSION index 1c98aeab0b..457b1c34f4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-174 +2.5-175 diff --git a/doc/components/bro-plugins/README.rst b/doc/components/bro-plugins/README.rst deleted file mode 120000 index 8f96f50909..0000000000 --- a/doc/components/bro-plugins/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../aux/plugins/README \ No newline at end of file diff --git a/doc/components/bro-plugins/elasticsearch/README.rst b/doc/components/bro-plugins/elasticsearch/README.rst deleted file mode 120000 index 8a5b78d689..0000000000 --- a/doc/components/bro-plugins/elasticsearch/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/elasticsearch/README \ No newline at end of file diff --git a/doc/components/bro-plugins/kafka/README.rst b/doc/components/bro-plugins/kafka/README.rst deleted file mode 120000 index 6ca2195f17..0000000000 --- a/doc/components/bro-plugins/kafka/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/kafka/README \ No newline at end of file diff --git a/doc/components/bro-plugins/netmap/README.rst b/doc/components/bro-plugins/netmap/README.rst deleted file mode 120000 index 819a2bb0e9..0000000000 --- a/doc/components/bro-plugins/netmap/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/netmap/README \ No newline at end of file diff --git a/doc/components/bro-plugins/pf_ring/README.rst b/doc/components/bro-plugins/pf_ring/README.rst deleted file mode 120000 index 5ea666e8c9..0000000000 --- a/doc/components/bro-plugins/pf_ring/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/pf_ring/README \ No newline at end of file diff --git a/doc/components/bro-plugins/redis/README.rst b/doc/components/bro-plugins/redis/README.rst deleted file mode 120000 index c42051828e..0000000000 --- a/doc/components/bro-plugins/redis/README.rst +++ /dev/null @@ -1 +0,0 @@ -../../../../aux/plugins/redis/README \ No newline at end of file diff --git a/doc/frameworks/logging.rst b/doc/frameworks/logging.rst index a5128da202..bcd84dde2b 100644 --- a/doc/frameworks/logging.rst +++ b/doc/frameworks/logging.rst @@ -532,10 +532,5 @@ Bro supports the following additional built-in output formats: logging-input-sqlite -Additional writers are available as external plugins: - -.. toctree:: - :maxdepth: 1 - - ../components/bro-plugins/README - +Additional writers are available as external plugins through the `Bro +Package Manager `_. From 8ae30d8aac22e6c972ba6d3c365de5c6469e41b9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jul 2017 15:44:53 -0700 Subject: [PATCH 265/288] Extend plugin infrastructure to catch Bro version mismatches at link time. People keep running into the problem that they upgrade Bro but forget to recompile their plugins--which can lead to crashes. While the plugins' API version was supposed to catch this, it's not reliable as that check may come too late. This change takes a different tack: We compile a C function into the Bro binary that has Bro's version number encoded into its name. A plugin can then reference that function. If the Bro version changes, the function goes away and the plugin won't load anymore. I've integrated that function reference into the plugin skeleton code so that new plugins get it automatically (unless explicitly removed). I couldn't see a way to do it transparently for already existing plugins unfortunately. The version number used for the function name is slightly normalized to skip any git revision postfixes (i.e., "2.5-xxx" is always treated as "2.5-git") so that one doesn't need to recompile all plugins after every master commit. That seems good enough, usually people run into this when upgrading to a new release. If one loads an old plugin into a new Bro, the error message looks like this: $ bro -NN Demo::Foo fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: cannot load plugin library /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so: /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so: undefined symbol: bro_version_2_5_git_debug Not the prettiest, but better than a crash! TODO: I'm still unsure if we should remove the plugin API version altogetger now. This link-time check should catch everything the API version does, except for master commits. --- CMakeLists.txt | 9 +++++++++ aux/bro-aux | 2 +- bro-config.h.in | 11 +++++++++++ src/plugin/Plugin.h | 9 +++++++++ src/version.c.in | 12 ++++++++++++ 5 files changed, 42 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5a7fba482e..29643c7b84 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -40,12 +40,21 @@ file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n") file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1) + string(REPLACE "." " " version_numbers ${VERSION}) separate_arguments(version_numbers) list(GET version_numbers 0 VERSION_MAJOR) list(GET version_numbers 1 VERSION_MINOR) set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}") +set(VERSION_C_IDENT "${VERSION}") +string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}") +string(REGEX REPLACE "[^a-zA-Z0-9_]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}") + +if(${ENABLE_DEBUG}) + set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug") +endif() + ######################################################################## ## Dependency Configuration diff --git a/aux/bro-aux b/aux/bro-aux index 43f4b90bba..7a38763d7a 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011 +Subproject commit 7a38763d7a687dc8974bf6fd212dc75ba4a4b23c diff --git a/bro-config.h.in b/bro-config.h.in index 290dd31cae..003eea88b7 100644 --- a/bro-config.h.in +++ b/bro-config.h.in @@ -229,3 +229,14 @@ #ifndef BRO_PLUGIN_INTERNAL_BUILD #define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@ #endif + +/* A C function that has the Bro version encoded into its name. */ +#define BRO_VERSION_FUNCTION bro_version_@VERSION_C_IDENT@ +#ifdef __cplusplus +extern "C" { +#endif +extern const char* BRO_VERSION_FUNCTION(); +#ifdef __cplusplus +} +#endif + diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index aabec22bc4..37f2064644 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -18,6 +18,8 @@ #define BRO_PLUGIN_API_VERSION 5 #endif +#define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION + class ODesc; class Func; class Event; @@ -93,6 +95,12 @@ public: // strong hint.). The attribute seems generally available. inline Configuration() __attribute__((always_inline)); + /** + * One can assign BRO_PLUGIN_BRO_VERSION to this to catch + * version mismatches at link(!) time. + */ + const char* (*bro_version)(); + private: friend class Plugin; int api_version; // Current BRO_PLUGIN_API_VERSION. Automatically set. @@ -103,6 +111,7 @@ inline Configuration::Configuration() name = ""; description = ""; api_version = BRO_PLUGIN_API_VERSION; + bro_version = 0; } /** diff --git a/src/version.c.in b/src/version.c.in index 86c4b16f24..65df65da00 100644 --- a/src/version.c.in +++ b/src/version.c.in @@ -1 +1,13 @@ + +#include "bro-config.h" + char version[] = "@VERSION@"; + +// A C function that has the current version built into its name. +// One can link a shared library against this to ensure that it won't +// load if the version of the main Bro binary differs compared to +// what the library was compiled against. +const char* BRO_VERSION_FUNCTION() +{ + return "@VERSION_C_IDENT@"; +} From a630c61f176944b7364a16bfe990f8a300334893 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 11 Jul 2017 09:56:33 -0700 Subject: [PATCH 266/288] Remove another reference to now removed bro-plugins. --- doc/components/index.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/components/index.rst b/doc/components/index.rst index 85527e9f9c..c1feda4a61 100644 --- a/doc/components/index.rst +++ b/doc/components/index.rst @@ -21,7 +21,6 @@ current, independent component releases. Broker - User Manual BroControl - Interactive Bro management shell Bro-Aux - Small auxiliary tools for Bro - Bro-Plugins - A collection of plugins for Bro BTest - A unit testing framework Capstats - Command-line packet statistic tool PySubnetTree - Python module for CIDR lookups From 00d7e3a013bc677ca0b6998da5d2ccdd69285d32 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 11 Jul 2017 09:57:31 -0700 Subject: [PATCH 267/288] Update submodule [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 5e0abd85c3..97e3f40646 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 5e0abd85c33ae412d818ebae7d0a2db1033ba7e4 +Subproject commit 97e3f40646c1a68ba35bcf6cf30237e1ba0dbe6e From 71c9945f266096e1e375461758ade515e9336692 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 13 Jul 2017 02:22:03 -0400 Subject: [PATCH 268/288] Several fixes and improvements for software version parsing. - Addresses Philip Romero's question from the Bro mailing list. - Adds Microsoft Edge as a detected browser. - We are now unescaping encoded characters in software names. --- scripts/base/frameworks/software/main.bro | 39 +++++++++- .../output | 77 ++++++++++--------- .../frameworks/software/version-parsing.bro | 11 +++ 3 files changed, 87 insertions(+), 40 deletions(-) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 0c1c4cd302..a3a15a2db8 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -84,6 +84,16 @@ export { ## is compared lexicographically. global cmp_versions: function(v1: Version, v2: Version): int; + ## Sometimes software will expose itself on the network with + ## slight naming variations. This table provides a mechanism + ## for a piece of software to be renamed to a single name + ## even if it exposes itself with an alternate name. The + ## yielded string is the name that will be logged and generally + ## used for everything. + global alternate_names: table[string] of string { + ["Flash Player"] = "Flash", + } &default=function(a: string): string { return a; }; + ## Type to represent a collection of :bro:type:`Software::Info` records. ## It's indexed with the name of a piece of software such as "Firefox" ## and it yields a :bro:type:`Software::Info` record with more @@ -125,7 +135,7 @@ function parse(unparsed_version: string): Description local v: Version; # Parse browser-alike versions separately - if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version ) + if ( /^(Mozilla|Opera)\/[0-9]+\./ in unparsed_version ) { return parse_mozilla(unparsed_version); } @@ -133,11 +143,17 @@ function parse(unparsed_version: string): Description { # The regular expression should match the complete version number # and software name. - local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); + local clean_unparsed_version = gsub(unparsed_version, /\\x/, "%"); + clean_unparsed_version = unescape_URI(clean_unparsed_version); + local version_parts = split_string_n(clean_unparsed_version, /([\/\-_]|( [\(v]+))?[0-9\-\._, ]{2,}/, T, 1); if ( 0 in version_parts ) { + # Remove any bits of junk at end of first part. + if ( /([\/\-_]|( [\(v]+))$/ in version_parts[0] ) + version_parts[0] = strip(sub(version_parts[0], /([\/\-_]|( [\(v]+))/, "")); + if ( /^\(/ in version_parts[0] ) - software_name = strip(sub(version_parts[0], /[\(]/, "")); + software_name = strip(sub(version_parts[0], /\(/, "")); else software_name = strip(version_parts[0]); } @@ -192,7 +208,7 @@ function parse(unparsed_version: string): Description } } - return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; + return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]]; } @@ -227,6 +243,13 @@ function parse_mozilla(unparsed_version: string): Description v = parse(parts[1])$version; } } + else if ( /Edge\// in unparsed_version ) + { + software_name="Edge"; + parts = split_string_all(unparsed_version, /Edge\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; + } else if ( /Version\/.*Safari\// in unparsed_version ) { software_name = "Safari"; @@ -280,6 +303,14 @@ function parse_mozilla(unparsed_version: string): Description v = parse(parts[1])$version; } } + else if ( /Flash%20Player/ in unparsed_version ) + { + software_name = "Flash"; + parts = split_string_all(unparsed_version, /[\/ ]/); + if ( 2 in parts ) + v = parse(parts[2])$version; + } + else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version ) { software_name = "AdobeAIR"; diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output index 956b5a86e4..6f59b224b3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output @@ -1,46 +1,12 @@ -success on: wu-2.4.2-academ[BETA-18-VR14](1) -success on: Python-urllib/3.1 -success on: libwww-perl/5.820 -success on: Apache -success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4 -success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5 -success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1) -success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 -success on: Java/1.6.0_13 -success on: The Bat! (v2.00.9) Personal -success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 -success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02) -success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18 -success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00 -success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731 -success on: CacheFlyServe v26b -success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 -success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7 -success on: Total Commander -success on: OpenSSH_5.2 -success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 -success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54 -success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15 -success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3) -success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) -success on: Wget/1.9+cvs-stable (Red Hat modified) -success on: Wget/1.11.4 (Red Hat modified) -success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01 -success on: Java1.3.1_04 -success on: OpenSSH_4.4 -success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2) -success on: (vsFTPd 2.0.5) -success on: wu-2.6.2(1) -success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) -success on: The Bat! (3.0.1 RC3) Professional -success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 success on: Flash/10,2,153,1 success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4 success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) +success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64) success on: Java1.2.2-JDeveloper success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9 success on: ProFTPD 1.2.5rc1 Server (Debian) +success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64) success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5 success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00 success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) @@ -48,3 +14,42 @@ success on: Apple Mail (2.1084) success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2 success on: Apache/1.3.19 (Unix) success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko +success on: Wget/1.11.4 (Red Hat modified) +success on: \xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US) +success on: wu-2.6.2(1) +success on: QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0 +success on: The Bat! (3.0.1 RC3) Professional +success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7 +success on: The Bat! (v2.00.9) Personal +success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) +success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1) +success on: wu-2.4.2-academ[BETA-18-VR14](1) +success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02) +success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2) +success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 +success on: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063 +success on: Total Commander +success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) +success on: libwww-perl/5.820 +success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 +success on: Java/1.6.0_13 +success on: Python-urllib/3.1 +success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00 +success on: CacheFlyServe v26b +success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +success on: OpenSSH_5.2 +success on: (vsFTPd 2.0.5) +success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 +success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3) +success on: Apache +success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5 +success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 +success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18 +success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4 +success on: Java1.3.1_04 +success on: OpenSSH_4.4 +success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731 +success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54 +success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01 +success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15 +success on: Wget/1.9+cvs-stable (Red Hat modified) diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index f61e8a3a9e..9a54f3d966 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -40,6 +40,9 @@ global matched_software: table[string] of Software::Description = { [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""], ["Flash/10,2,153,1"] = [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$minor3=1], $unparsed_version=""], + # The addl on the following entry isn't so great, but it'll do. + ["Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)"] = + [$name="Flash", $version=[$major=26,$minor=0,$minor2=0,$minor3=137,$addl="CFNetwork/811"], $unparsed_version=""], ["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$minor3=967,$addl="Oct"], $unparsed_version=""], ["CacheFlyServe v26b"] = @@ -110,6 +113,14 @@ global matched_software: table[string] of Software::Description = { [$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""], ["Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = [$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""], + ["\\xe6\\xbc\\xab\\xe7\\x94\\xbb\\xe4\\xba\\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)"] = + [$name="\xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba", $version=[$major=2,$minor=6,$minor2=2,$addl="rv:1"], $unparsed_version=""], + ["%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"] = + [$name="\xe6\x9c\x89\xe9\x81\x93\xe8\xaf\x8d\xe5\x85\xb8", $version=[$major=128,$addl="CFNetwork/760"], $unparsed_version=""], + ["QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0"] = + [$name="QQ\xe9\x82\xae\xe7\xae\xb1", $version=[$major=5,$minor=3,$minor2=2,$minor3=8,$addl="CFNetwork/811"], $unparsed_version=""], + ["Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063"] = + [$name="Edge", $version=[$major=15,$minor=15063], $unparsed_version=""], }; event bro_init() From 78f8ff432f984548fa2b88865c904109e121443a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Jul 2017 13:23:37 -0700 Subject: [PATCH 269/288] Adding plugin API number into versioned function name, and removing old runtime API version check. --- CMakeLists.txt | 9 +++++++-- src/plugin/Manager.cc | 4 ---- src/plugin/Plugin.cc | 5 ----- src/plugin/Plugin.h | 18 +++--------------- .../plugins.api-version-mismatch/output | 1 - testing/btest/plugins/api-version-mismatch.sh | 8 -------- 6 files changed, 10 insertions(+), 35 deletions(-) delete mode 100644 testing/btest/Baseline/plugins.api-version-mismatch/output delete mode 100644 testing/btest/plugins/api-version-mismatch.sh diff --git a/CMakeLists.txt b/CMakeLists.txt index 29643c7b84..990c09b611 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -40,6 +40,11 @@ file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n") file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1) +execute_process(COMMAND grep "^#define *BRO_PLUGIN_API_VERSION" + INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h + OUTPUT_VARIABLE API_VERSION + OUTPUT_STRIP_TRAILING_WHITESPACE) +string(REGEX REPLACE "^#define.*VERSION *" "" API_VERSION "${API_VERSION}") string(REPLACE "." " " version_numbers ${VERSION}) separate_arguments(version_numbers) @@ -47,9 +52,9 @@ list(GET version_numbers 0 VERSION_MAJOR) list(GET version_numbers 1 VERSION_MINOR) set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}") -set(VERSION_C_IDENT "${VERSION}") +set(VERSION_C_IDENT "${VERSION}_plugin_${API_VERSION}") string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}") -string(REGEX REPLACE "[^a-zA-Z0-9_]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}") +string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}") if(${ENABLE_DEBUG}) set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug") diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 104bcfbdd5..a6c564d4f2 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -243,10 +243,6 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ plugins_by_path.insert(std::make_pair(normalize_path(dir), current_plugin)); - if ( current_plugin->APIVersion() != BRO_PLUGIN_API_VERSION ) - reporter->FatalError("plugin's API version does not match Bro (expected %d, got %d in %s)", - BRO_PLUGIN_API_VERSION, current_plugin->APIVersion(), path); - // We execute the pre-script initialization here; this in // fact could be *during* script initialization if we got // triggered via @load-plugin. diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 7af9b9dfee..f54749f837 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -242,11 +242,6 @@ VersionNumber Plugin::Version() const return config.version; } -int Plugin::APIVersion() const - { - return config.api_version; - } - bool Plugin::DynamicPlugin() const { return dynamic; diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 37f2064644..c00831d1fd 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -13,10 +13,9 @@ #include "iosource/Component.h" #include "logging/WriterBackend.h" -// We allow to override this externally for testing purposes. -#ifndef BRO_PLUGIN_API_VERSION -#define BRO_PLUGIN_API_VERSION 5 -#endif +// Increase this when making incompatible changes to the plugin API. Note +// that the constant is never used in C code. It's picked up on by CMake. +#define BRO_PLUGIN_API_VERSION 6 #define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION @@ -103,14 +102,12 @@ public: private: friend class Plugin; - int api_version; // Current BRO_PLUGIN_API_VERSION. Automatically set. }; inline Configuration::Configuration() { name = ""; description = ""; - api_version = BRO_PLUGIN_API_VERSION; bro_version = 0; } @@ -451,15 +448,6 @@ public: **/ const std::string& PluginPath() const; - /** - * Returns the internal version of the Bro API that this plugin - * relies on. Only plugins that match Bro's current API version can - * be used. For statically compiled plugins this is automatically the - * case, but dynamically loaded plugins may cause a mismatch if they - * were compiled for a different Bro version. - */ - int APIVersion() const; - /** * Returns a list of all components the plugin provides. */ diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output deleted file mode 100644 index 04f3cdd3a2..0000000000 --- a/testing/btest/Baseline/plugins.api-version-mismatch/output +++ /dev/null @@ -1 +0,0 @@ -fatal error in /home/robin/bro/plugins/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/plugins/testing/btest/.tmp/plugins.api-version-mismatch/build//lib/XXX) diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh deleted file mode 100644 index 2483582359..0000000000 --- a/testing/btest/plugins/api-version-mismatch.sh +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo -# @TEST-EXEC: bash %INPUT -# @TEST-EXEC: ./configure --bro-dist=${DIST} && make -# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1 -# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output - -( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc From 0d97e5451d3529790b4586b4fef92b78316c72b2 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 15:09:54 -0700 Subject: [PATCH 270/288] Revert "parse multiple OCSP stapling responses" This reverts commit 07891b3b66fbf86a188325a0eaedc24db9571b13. I suspect this never really was correctly implemented and just breaks all scripts. --- .../protocol/ssl/tls-handshake-analyzer.pac | 9 +++++---- .../protocol/ssl/tls-handshake-protocol.pac | 18 +++--------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 60d03f3dce..024353432a 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -241,7 +241,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool + function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ ODesc common; common.AddRaw("Analyzer::ANALYZER_SSL"); @@ -249,7 +249,7 @@ refine connection Handshake_Conn += { common.AddRaw("F"); bro_analyzer()->Conn()->IDString(&common); - if ( status_type == 1 || status_type == 2 ) // ocsp + if ( status_type == 1 ) // ocsp { ODesc file_handle; file_handle.Add(common.Description()); @@ -269,6 +269,7 @@ refine connection Handshake_Conn += { file_mgr->EndOfFile(file_id); } + return true; %} @@ -384,8 +385,8 @@ refine typeattr ServerNameExt += &let { proc : bool = $context.connection.proc_server_name(rec, server_names); }; -refine typeattr OCSPResponse += &let { - proc : bool = $context.connection.proc_ocsp_response(rec, status_type, response); +refine typeattr CertificateStatus += &let { + proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); }; refine typeattr EcServerKeyExchange += &let { diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index d06d8ec57b..6a1988111e 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -165,23 +165,11 @@ type Certificate(rec: HandshakeRecord) = record { } &length = to_int()(length)+3; # OCSP Stapling -type OCSPResponse(rec: HandshakeRecord, status_type: uint8) = record { - length : uint24; - response : bytestring &length = to_int()(length); -} &length = to_int()(length)+3; - -type OCSPResponseList(rec: HandshakeRecord, status_type: uint8) = record { - length : uint24; - response_list : OCSPResponse(rec, status_type)[] &until($input.length() == 0); -} &length = to_int()(length)+3; type CertificateStatus(rec: HandshakeRecord) = record { - status_type: uint8; # 1 = ocsp, 2 = ocsp_multi, everything else is undefined - which_type: case status_type of { - 1 -> ocsp_response : OCSPResponse(rec, status_type); - 2 -> ocsp_response_list : OCSPResponseList(rec, status_type); - default -> data : bytestring &restofdata &transient; # unknown - }; + status_type: uint8; # 1 = ocsp, everything else is undefined + length : uint24; + response: bytestring &restofdata; }; ###################################################################### From 912637658137630230562aaf41b6345f64fe5c74 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 15:12:19 -0700 Subject: [PATCH 271/288] Revert "add parameter 'status_type' to event ssl_stapled_ocsp" This reverts commit 545848d9067c9ce35e8825961ce82943d3c945ff. Revert further part of stapled OCSP response handling that probably never worked. --- scripts/policy/protocols/ssl/validate-ocsp.bro | 2 +- src/analyzer/protocol/ssl/events.bif | 4 +--- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 3 +-- testing/btest/core/leaks/x509_ocsp_verify.bro | 2 +- testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +- 5 files changed, 5 insertions(+), 8 deletions(-) diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 8f0da3ef2f..81bbc3c9ea 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -27,7 +27,7 @@ export { # certificate chain is seen. global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3 +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 { c$ssl$ocsp_response = response; } diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 44e359dde6..755eccded7 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -416,9 +416,7 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len ## is_orig: True if event is raised for originator side of the connection. ## ## response: OCSP data. -## -## status_type: status_type in received OCSP stapled response -event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%); +event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); ## This event is raised for each unencrypted SSL/TLS handshake message. ## diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 024353432a..e3226551b4 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -264,8 +264,7 @@ refine connection Handshake_Conn += { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), - (const char*) response.data()), - status_type); + (const char*) response.data())); file_mgr->EndOfFile(file_id); } diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro index 4a4d081e09..ab24f28ee8 100644 --- a/testing/btest/core/leaks/x509_ocsp_verify.bro +++ b/testing/btest/core/leaks/x509_ocsp_verify.bro @@ -9,7 +9,7 @@ @load base/protocols/ssl -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 440b1b2ebf..6424f263f1 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -5,7 +5,7 @@ redef SSL::root_certs += { ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", }; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) From 9594f695980f2ba451c3ad2cf2c33323ae517ceb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 16:21:47 -0700 Subject: [PATCH 272/288] SSL: Update OCSP/SCT scripts and documentation. --- doc/script-reference/log-files.rst | 4 + scripts/base/files/x509/README | 2 +- scripts/base/files/x509/__load__.bro | 1 - scripts/base/files/x509/main.bro | 11 +- scripts/base/protocols/ssl/README | 2 +- scripts/base/protocols/ssl/main.bro | 11 +- scripts/policy/files/x509/log-ocsp.bro | 52 +++++---- .../policy/protocols/ssl/validate-ocsp.bro | 6 +- scripts/policy/protocols/ssl/validate-sct.bro | 39 +++++-- src/analyzer/protocol/ssl/events.bif | 14 ++- src/file_analysis/analyzer/x509/events.bif | 18 +++- src/file_analysis/analyzer/x509/functions.bif | 60 +++++++++-- .../analyzer/x509/ocsp_events.bif | 102 ++++++++++++++++-- .../btest/Baseline/coverage.find-bro-logs/out | 1 + 14 files changed, 260 insertions(+), 63 deletions(-) diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst index 795b33f6b8..e8550ee41c 100644 --- a/doc/script-reference/log-files.rst +++ b/doc/script-reference/log-files.rst @@ -76,6 +76,10 @@ Files +============================+=======================================+=================================+ | files.log | File analysis results | :bro:type:`Files::Info` | +----------------------------+---------------------------------------+---------------------------------+ +| ocsp.log | Online Certificate Status Protocol | :bro:type:`OCSP::Info` | +| | (OCSP). Only created if policy script | | +| | is loaded. | | ++----------------------------+---------------------------------------+---------------------------------+ | pe.log | Portable Executable (PE) | :bro:type:`PE::Info` | +----------------------------+---------------------------------------+---------------------------------+ | x509.log | X.509 certificate info | :bro:type:`X509::Info` | diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README index b523eb4fc4..515b0e0b1c 100644 --- a/scripts/base/files/x509/README +++ b/scripts/base/files/x509/README @@ -1,2 +1,2 @@ Support for X509 certificates with the file analysis framework. -Also supposrts OCSP requests and responses. +Also supports parsing OCSP requests and responses. diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro index cff81e7254..a10fe855df 100644 --- a/scripts/base/files/x509/__load__.bro +++ b/scripts/base/files/x509/__load__.bro @@ -1,2 +1 @@ @load ./main -#@load ./ocsp diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index a7d3ca7a04..7cf1c4ab59 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -10,23 +10,17 @@ export { type Info: record { ## Current timestamp. ts: time &log; - ## File id of this certificate. id: string &log; - ## Basic information about the certificate. certificate: X509::Certificate &log; - ## The opaque wrapping the certificate. Mainly used ## for the verify operations. handle: opaque of x509; - ## All extensions that were encountered in the certificate. extensions: vector of X509::Extension &default=vector(); - ## Subject alternative name extension of the certificate. san: X509::SubjectAlternativeName &optional &log; - ## Basic constraints extension of the certificate. basic_constraints: X509::BasicConstraints &optional &log; }; @@ -39,6 +33,11 @@ event bro_init() &priority=5 { Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]); + # We use mime types internally to distinguish between user and ca certificates. + # The first certificate in a connection always gets tagged as user-cert, all + # following certificates get tagged as CA certificates. Certificates gotten via + # other means (e.g. identified from HTTP traffic when they are transfered in plain + # text) get tagged as application/pkix-cert. Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert"); diff --git a/scripts/base/protocols/ssl/README b/scripts/base/protocols/ssl/README index 8fa99fd553..1fd0568101 100644 --- a/scripts/base/protocols/ssl/README +++ b/scripts/base/protocols/ssl/README @@ -1 +1 @@ -Support for Secure Sockets Layer (SSL) protocol analysis. +Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis. diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 54ac8548ba..932505c3a8 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -64,7 +64,6 @@ export { ## Flag to indicate if this ssl session has been established ## successfully, or if it was aborted during the handshake. established: bool &log &default=F; - ## Flag to indicate if this record already has been logged, to ## prevent duplicates. logged: bool &default=F; @@ -74,11 +73,18 @@ export { ## script sets this to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; + ## The record type which contains the field for the Certificate + ## Transparency log bundle. type CTInfo: record { + ## Description of the Log description: string; + ## Operator of the Log operator: string; + ## Public key of the Log. key: string; + ## Maximum merge delay of the Log maximum_merge_delay: count; + ## URL of the Log url: string; }; @@ -104,7 +110,8 @@ export { ## record as it is sent on to the logging framework. global log_ssl: event(rec: Info); - # do everything you want to do right before logging here + # Hook that can be used to perform actions right before the log record + # is written. global ssl_finishing: hook(c: connection); } diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro index f9e72dd832..349fa9a372 100644 --- a/scripts/policy/files/x509/log-ocsp.bro +++ b/scripts/policy/files/x509/log-ocsp.bro @@ -1,31 +1,41 @@ -##! Enable basic OCSP logging. - -# This is in policy because probably just about no one is interested -# in logging OCSP responses. +##! Enable logging of OCSP responses. +# +# This script is in policy and not loaded by default because OCSP logging +# does not provide a lot of interesting information in most environments. module OCSP; export { redef enum Log::ID += { LOG }; + ## The record type which contains the fields of the OCSP log. type Info: record { - ## Current timestamp. - ts: time &log; - - ## File id of the ocsp reply. - id: string &log; - - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; - certStatus: string &log; - revoketime: time &log &optional; - revokereason: string &log &optional; - thisUpdate: time &log; - nextUpdate: time &log &optional; + ## Time when the OCSP reply was encountered. + ts: time &log; + ## File id of the ocsp reply. + id: string &log; + ## Hash algorithm used to generate issuerNameHash and issuerKeyHash. + hashAlgorithm: string &log; + ## Hash of the issuer's distingueshed name. + issuerNameHash: string &log; + ## Hash of the issuer's public key. + issuerKeyHash: string &log; + ## Serial number of the affected certificate. + serialNumber: string &log; + ## Status of the affected certificate. + certStatus: string &log; + ## Time at which the certificate was revoked. + revoketime: time &log &optional; + ## Reason for which the certificate was revoked. + revokereason: string &log &optional; + ## The time at which the status being shows is known to have been correct. + thisUpdate: time &log; + ## The latest time at which new information about the status of the certificate will be available. + nextUpdate: time &log &optional; }; + ## Event that can be handled to access the OCSP record + ## as it is sent to the logging framework. global log_ocsp: event(rec: Info); } @@ -39,14 +49,12 @@ event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHas { local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash, $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus, - $thisUpdate=thisUpdate); + $thisUpdate=thisUpdate); if ( revokereason != "" ) wr$revokereason = revokereason; - if ( time_to_double(revoketime) != 0 ) wr$revoketime = revoketime; - if ( time_to_double(nextUpdate) != 0 ) wr$nextUpdate = nextUpdate; diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 81bbc3c9ea..7cb8be9f0e 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,4 +1,9 @@ ##! Perform validation of stapled OCSP responses. +#! +#! Note: this _only_ performs validation of stapled OCSP responsed. It does +#! not validate OCSP responses that are retrieved via HTTP, because we do not +#! have a mapping to certificates. + @load base/frameworks/notice @load base/protocols/ssl @@ -15,7 +20,6 @@ export { redef record Info += { ## Result of ocsp validation for this connection. ocsp_status: string &log &optional; - ## ocsp response as string. ocsp_response: string &optional; }; diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index bf7d8745bb..f45a8f7964 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -1,6 +1,5 @@ ##! Perform validation of Signed Certificate Timestamps, as used -##! for Certificate Transparency. See https://tools.ietf.org/html/rfc6962 -##! for more details. +##! for Certificate Transparency. See RFC6962 for more details. @load base/protocols/ssl @load protocols/ssl/validate-certs @@ -13,40 +12,63 @@ module SSL; export { + ## List of the different sources for Signed Certificate Timestamp type SctSource: enum { + ## Signed Certificate Timestamp was encountered in the extension of + ## an X.509 certificate. SCT_X509_EXT, + ## Signed Certificate Timestamp was encountered in an TLS session + ## extension. SCT_TLS_EXT, + ## Signed Certificate Timestamp was encountered in the extension of + ## an stapled OCSP reply. SCT_OCSP_EXT }; + ## This record is used to store information about the SCTs that are + ## encountered in a SSL connection. type SctInfo: record { + ## The version of the encountered SCT (should always be 0 for v1). version: count; + ## The ID of the log issuing this SCT. logid: string; + ## The timestamp at which this SCT was issued measured since the + ## epoch (January 1, 1970, 00:00), ignoring leap seconds, in + ## milliseconds. Not converted to a Bro timestamp because we need + ## the exact value for validation. timestamp: count; + ## The signature algorithm used for this sct. sig_alg: count; + ## The hash algorithm used for this sct. hash_alg: count; + ## The signature of this SCT. signature: string; + ## Source of this SCT. source: SctSource; + ## Validation result of this SCT. valid: bool &optional; }; redef record Info += { + ## Number of valid SCTs that were encountered in the connection. valid_scts: count &optional; + ## Number of SCTs that could not be validated that were encountered in the connection. invalid_scts: count &optional; + ## Number of different Logs for which valid SCTs were encountered in the connection. valid_ct_logs: count &log &optional; + ## Number of different Log operators of which valid SCTs were encountered in the connection. valid_ct_operators: count &log &optional; + ## List of operators for which valid SCTs were encountered in the connection. valid_ct_operators_list: set[string] &optional; + ## Information about all SCTs that were encountered in the connection. + ct_proofs: vector of SctInfo &default=vector(); }; - } +# Used to cache validations for 5 minutes to lessen computational load. global recently_validated_scts: table[string] of bool = table() &read_expire=5mins &redef; -redef record SSL::Info += { - ct_proofs: vector of SctInfo &default=vector(); -}; - event bro_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); @@ -134,7 +156,6 @@ hook ssl_finishing(c: connection) &priority=19 # the right issuer cert. # # First - Let's try if a previous round already established the correct issuer key hash. - if ( issuer_key_hash != "" ) { valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); @@ -151,9 +172,9 @@ hook ssl_finishing(c: connection) &priority=19 issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4); valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); } + # ok, if it still did not work - let's just try with all the certs that were sent # in the connection. Perhaps it will work with one of them. - if ( !valid ) for ( i in c$ssl$cert_chain ) { diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 755eccded7..7f0814ee27 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -211,6 +211,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_extension_signed_certificate_timestamp event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%); ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is @@ -231,6 +232,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_extension_signed_certificate_timestamp event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); ## Generated for the signed_certificate_timestamp TLS extension as defined in @@ -253,6 +255,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_server_name ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_extension_application_layer_protocol_negotiation +## x509_ocsp_ext_signed_certificate_timestamp sct_verify event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated for an TLS Supported Versions extension. This TLS extension @@ -271,7 +281,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share ssl_extension_server_name -## ssl_extension_psk_key_exchange_modes +## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%); ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined @@ -288,7 +298,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share ssl_extension_server_name -## ssl_extension_supported_versions +## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index 206555e9dd..68afe5340a 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -13,7 +13,7 @@ ## ## .. bro:see:: x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify -## x509_get_certificate_string +## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%); ## Generated for X509 extensions seen in a certificate. @@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif ## ## .. bro:see:: x509_certificate x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify -## x509_get_certificate_string +## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_extension%(f: fa_file, ext: X509::Extension%); ## Generated for the X509 basic constraints extension seen in a certificate. @@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%); ## ## .. bro:see:: x509_certificate x509_extension ## x509_ext_subject_alternative_name x509_parse x509_verify -## x509_get_certificate_string +## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## Generated for the X509 subject alternative name extension seen in a certificate. @@ -52,13 +52,14 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## ext: The parsed subject alternative name extension. ## ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints -## x509_parse x509_verify +## x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); ## Generated for the signed_certificate_timestamp X509 extension as defined in ## :rfc:`6962`. The extension is used to transmit signed proofs that are -## used for Certificate Transparency. +## used for Certificate Transparency. Raised when the extension is encountered +## in an X.509 certificate or in an OCSP reply. ## ## f: The file. ## @@ -74,4 +75,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct +## +## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints +## x509_parse x509_verify x509_ext_subject_alternative_name +## x509_get_certificate_string ssl_extension_signed_certificate_timestamp +## sct_verify ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate +## x509_ocsp_ext_signed_certificate_timestamp event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 8212835e2e..e3fcb0ce11 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -140,6 +140,8 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid) return 0; } +// Convert hash algorithm registry numbers to the OpenSSL EVP_MD. +// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 const EVP_MD* hash_to_evp(int hash) { switch ( hash ) @@ -483,7 +485,7 @@ x509_ocsp_cleanup: ## ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse -## x509_get_certificate_string x509_ocsp_verify +## x509_get_certificate_string x509_ocsp_verify sct_verify function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result %{ X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal()); @@ -571,6 +573,28 @@ x509_verify_chainerror: return rrecord; %} +## Verifies a Signed Certificate Timestamp as used for Certificate Transparency. +## See RFC6962 for more details. +## +## cert: Certificate against which the SCT should be validated. +## +## logid: Log id of the SCT. +## +## log_key: Public key of the Log that issued the SCT proof. +## +## timestamp: Timestamp at which the proof was generated. +## +## hash_algorithm: Hash algorithm that was used for the SCT proof. +## +## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key. +## This only has to be provided if the SCT was encountered in an X.509 +## certificate extension; in that case, it is necessary for validation. +## +## Returns: T if the validation could be performed succesfully, F otherwhise. +## +## .. bro:see:: ssl_extension_signed_certificate_timestamp +## x509_ocsp_ext_signed_certificate_timestamp +## x509_verify function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool %{ assert(cert); @@ -789,6 +813,17 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha } %%} +## Get the hash of the subject's distinguished name. +## +## cert: The X509 certificate opaque handle. +## +## hash_alg: the hash algorithm to use, according to the IANA mapping at +## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 +## +## Returns: The hash as a string. +## +## .. bro:see:: x509_issuer_name_hash x509_spki_hash +## x509_verify sct_verify function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; @@ -796,17 +831,17 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string return x509_entity_hash(cert_handle, hash_alg, 0); %} -## Get the hash of issuer name of a certificate +## Get the hash of the issuer's distinguished name. ## ## cert: The X509 certificate opaque handle. ## -## hash_alg: the hash algorithm to use +## hash_alg: the hash algorithm to use, according to the IANA mapping at +## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 ## -## Returns: A string of hash of issuer name. +## Returns: The hash as a string. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints -## x509_ext_subject_alternative_name x509_parse -## x509_get_certificate_string x509_verify +## .. bro:see:: x509_subject_name_hash x509_spki_hash +## x509_verify sct_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; @@ -814,6 +849,17 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string return x509_entity_hash(cert_handle, hash_alg, 1); %} +## Get the hash of the Subject Public Key Information of the certificate. +## +## cert: The X509 certificate opaque handle. +## +## hash_alg: the hash algorithm to use, according to the IANA mapping at +## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 +## +## Returns: The hash as a string. +## +## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash +## x509_verify sct_verify function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string %{ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index 76208c210e..1c236bf177 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -1,6 +1,8 @@ ## Event that is raised when encountering an OCSP request, e.g. in an HTTP ## connection. See :rfc:`6960` for more details. ## +## This event is raised exactly once for each OCSP Request. +## ## f: The file. ## ## req: version: the version of the OCSP request. Typically 0 (Version 1). @@ -8,23 +10,111 @@ ## requestorName: name of the OCSP requestor. This attribute is optional; if ## it is not set, an empty string is returned here. ## +## .. bro:see:: ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request%(f: fa_file, version: count, requestorName: string%); +## Event that is raised when encountering an OCSP request for a certificate, +## e.g. in an HTTP connection. See :rfc:`6960` for more details. +## +## Note that a single OCSP request can contain requests for several certificates. +## Thus this event can fire several times for one OCSP request, each time +## requesting information for a different (or in theory even the same) certificate. +## +## f: The file. +## +## hashAlgorithm: The hash algorithm used for the issuerKeyHash. +## +## issuerKeyHash: Hash of the issuers public key. +## +## serialNumber: Serial number of the certificate for which the status is requested. +## +## .. bro:see:: ocsp_request ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%); -## Generated for encountered OCSP response +## This event is raised when encountering an OCSP reply, e.g. in an HTTP +## connection or a TLS extension. See :rfc:`6960` for more details. +## +## This event is raised exactly once for each OCSP reply. +## +## f: The file. +## +## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). +## +## .. bro:see:: ocsp_request ocsp_request_certificate +## ocsp_response_bytes ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp +event ocsp_response_status%(f: fa_file, status: string%); + +## This event is raised when encountering an OCSP response that contains response information. +## An OCSP reply can be encountered, for example, in an HTTP connection or +## a TLS extension. See :rfc:`6960` for more details on OCSP. ## ## f: The file. ## ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the -## OCSP response +## OCSP response. ## -## req: The parsed OCSP response information. +## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). ## -event ocsp_response_status%(f: fa_file, status: string%); - +## version: Version of the OCSP response (typically - for version 1). +## +## responderId: The id of the OCSP responder; either a public key hash or a distinguished name. +## +## producedAt: Time at which the reply was produced. +## +## signatureAlgorithm: Algorithm used for the OCSP signature. +## +## certs: Optional list of certificates that are sent with the OCSP response; these typically +## are needed to perform validation of the reply. +## +## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); -event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%); +## This event is raised for each SingleResponse contained in an OCSP response. +## See :rfc:`6960` for more details on OCSP. +## +## f: The file. +## +## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash. +## +## issuerNameHash: Hash of the issuer's distinguished name. +## +## issuerKeyHash: Hash of the issuer's public key. +## +## serialNumber: Serial number of the affected certificate. +## +## certStatus: Status of the certificate. +## +## revokeTime: Time the certificate was revoked, 0 if not revoked. +## +## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified. +## +## thisUpdate: Time this response was generated. +## +## nextUpdate: Time next response will be ready; 0 if not supploed. +## +## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp +event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%); +## This event is raised when an OCSP extension is encountered in an OCSP response. +## See :rfc:`6960` for more details on OCSP. +## +## f: The file. +## +## ext: The parsed extension (same format as X.509 extensions). +## +## global_resp: T if extension encountered in the global response (in ResponseData), +## F when encountered in a SingleResponse. +## +## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%); diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out index 9ff209d2e6..09a08914fe 100644 --- a/testing/btest/Baseline/coverage.find-bro-logs/out +++ b/testing/btest/Baseline/coverage.find-bro-logs/out @@ -30,6 +30,7 @@ netcontrol_shunt notice notice_alarm ntlm +ocsp open_flow packet_filter pe From 5acbccf44417b82e9692118238e2763d5874cd44 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 17:07:22 -0700 Subject: [PATCH 273/288] Update CT Log list --- scripts/base/protocols/ssl/ct-list.bro | 66 ++++++++++++++++---------- 1 file changed, 40 insertions(+), 26 deletions(-) diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro index 600b644df2..d48f58877c 100644 --- a/scripts/base/protocols/ssl/ct-list.bro +++ b/scripts/base/protocols/ssl/ct-list.bro @@ -1,34 +1,48 @@ # # Do not edit this file. This file is automatically generated by gen-ct-list.pl -# File generated at Thu Mar 16 13:41:00 2017 -# File generated from https://www.certificate-transparency.org/known-logs/all_logs_list.json?attredirects=0&d=1 +# File generated at Thu Jul 27 16:59:25 2017 +# File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json # @load base/protocols/ssl module SSL; redef ct_logs += { -["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"), -["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"), -["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"), -["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"), -["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"), -["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"), -["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"), -["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"), -["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ct.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"), -["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign ctlog", $operator="WoSign", $url="ctlog.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"), -["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec VEGA log", $operator="Symantec", $url="vega.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"), -["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"), -["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="Wang Shengnan GDCA log", $operator="Wang Shengnan", $url="ct.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"), -["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"), -["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 2nd log", $operator="Izenpe", $url="ct.izenpe.eus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"), -["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom CT log", $operator="StartCom", $url="ct.startssl.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"), -["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"), -["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"), -["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA log", $operator="GDCA", $url="ctlog.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"), -["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"), -["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"), -["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="https://ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"), -["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec SIRIUS log", $operator="Symantec", $url="sirius.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"), -["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert CT2 log", $operator="DigiCert", $url="ct2.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"), +["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"), +["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"), +["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"), +["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"), +["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"), +["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"), +["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"), +["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"), +["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"), +["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"), +["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"), +["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="Symantec", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"), +["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="Symantec", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"), +["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="Symantec", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"), +["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"), +["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"), +["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"), +["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="Wosign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"), +["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="Wosign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"), +["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="Wosign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"), +["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"), +["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"), +["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"), +["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"), +["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"), +["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"), +["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartSSL", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"), +["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"), +["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"), +["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"), +["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"), +["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"), +["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"), +["\x32\xdc\x59\xc2\xd4\xc4\x19\x68\xd5\x6e\x14\xbc\x61\xac\x8f\x0e\x45\xdb\x39\xfa\xf3\xc1\x55\xaa\x42\x52\xf5\x00\x1f\xa0\xc6\x23"] = CTInfo($description="SHECA CT log 2", $operator="SHECA", $url="ct.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb1\x8e\x1d\x8a\xaa\x3a\xac\xce\x86\xcb\x53\x76\xe8\xa8\x9d\x59\xbe\x17\x88\x03\x07\xf2\x27\xe0\x82\xbe\xb1\xfc\x67\x3b\x46\xee\xd3\xf1\x8d\xd6\x77\xe8\xa3\xb4\xdb\x09\x5c\xa0\x09\x43\xfc\x5f\xd0\x68\x34\x23\x24\x08\xc2\x4f\xd8\xd2\xb6\x9d\xed\xd5\x8c\xdb"), +["\x96\x06\xc0\x2c\x69\x00\x33\xaa\x1d\x14\x5f\x59\xc6\xe2\x64\x8d\x05\x49\xf0\xdf\x96\xaa\xb8\xdb\x91\x5a\x70\xd8\xec\xf3\x90\xa5"] = CTInfo($description="Akamai CT Log", $operator="Akamai", $url="ct.akamai.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x43\x79\xeb\x49\x5c\x50\x2a\x4a\x6a\x8f\x59\x93\xbc\xc3\x42\x76\xc2\x99\xf8\x27\x81\x3c\x06\x6c\xd2\xc8\x04\x8f\x74\x7b\xb4\xb5\x21\xf2\xe3\xa8\xdc\x33\xb9\xfe\x25\xe9\x3d\x04\xfc\x3f\xb4\xae\x40\xe3\x45\x7e\x84\x92\x2a\xd8\x52\xeb\x1f\x3f\x73\x13\xd0\xc8"), +["\x39\x37\x6f\x54\x5f\x7b\x46\x07\xf5\x97\x42\xd7\x68\xcd\x5d\x24\x37\xbf\x34\x73\xb6\x53\x4a\x48\x34\xbc\xf7\x2e\x68\x1c\x83\xc9"] = CTInfo($description="Alpha CT Log", $operator="Matt Palmer", $url="alpha.ctlogs.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3\x2a\xe3\x77\x97\x8d\x78"), +["\x29\x6a\xfa\x2d\x56\x8b\xca\x0d\x2e\xa8\x44\x95\x6a\xe9\x72\x1f\xc3\x5f\xa3\x55\xec\xda\x99\x69\x3a\xaf\xd4\x58\xa7\x1a\xef\xdd"] = CTInfo($description="Let's Encrypt 'Clicky' log", $operator="Let's Encrypt", $url="clicky.ct.letsencrypt.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1f\x1a\x15\x83\x77\x00\x75\x62\xb9\x9f\xf6\x06\x05\xed\x95\x89\x83\x41\x81\x97\xe7\xe0\xd4\x33\xfe\x76\xba\x3b\xc9\x49\xc2\xcd\xf1\xcf\xfe\x12\x70\xd7\xbe\xa8\x22\x5f\xb2\xa4\x67\x02\x7b\x71\xae\x1d\xac\xa8\xe9\xd1\x08\xd5\xce\xef\x33\x7a\xc3\x5f\x00\xdc"), +["\xb0\xb7\x84\xbc\x81\xc0\xdd\xc4\x75\x44\xe8\x83\xf0\x59\x85\xbb\x90\x77\xd1\x34\xd8\xab\x88\xb2\xb2\xe5\x33\x98\x0b\x8e\x50\x8b"] = CTInfo($description="Up In The Air 'Behind the Sofa' log", $operator="Up In The Air Consulting", $url="ct.filippo.io/behindthesofa/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x59\x39\xb2\xa6\x94\xc6\x32\xb9\xfe\x63\x69\x1e\x30\x3b\xa3\x5b\xd5\xb0\x43\xc9\x50\x1e\x95\xa5\x2d\xa7\x4c\x4a\x49\x8e\x8b\x8f\xb7\xf8\xcc\xe2\x5b\x97\x72\xd5\xea\x3f\xb1\x21\x48\xe8\x44\x6b\x7f\xea\xef\x22\xff\xdf\xf4\x5f\x3b\x6d\x77\x04\xb1\xaf\x90\x8f"), }; From ade9aa219b69c7a313293751ff9350cfc10f4a89 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 22:04:47 -0700 Subject: [PATCH 274/288] Better handling of % at end of line. --- src/analyzer/protocol/http/HTTP.cc | 16 +++++++++++++--- .../http.log | 11 +++++++++++ .../weird.log | 11 +++++++++++ .../btest/Traces/http/percent-end-of-line.pcap | Bin 0 -> 3577 bytes .../base/protocols/http/percent-end-of-line.bro | 4 ++++ 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log create mode 100644 testing/btest/Traces/http/percent-end-of-line.pcap create mode 100644 testing/btest/scripts/base/protocols/http/percent-end-of-line.bro diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index c1f4320c04..cae14586dd 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1843,19 +1843,29 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e if ( line == line_end ) { - // How to deal with % at end of line? - // *URI_p++ = '%'; + *URI_p++ = '%'; if ( analyzer ) analyzer->Weird("illegal_%_at_end_of_URI"); break; } + else if ( line + 1 == line_end ) + { + // % + one character at end of line. Log weird + // and just add to unescpaped URI. + *URI_p++ = '%'; + *URI_p++ = *line; + if ( analyzer ) + analyzer->Weird("partial_escape_at_end_of_URI"); + break; + } + else if ( *line == '%' ) { // Double '%' might be either due to // software bug, or more likely, an // evasion (e.g. used by Nimda). - // *URI_p++ = '%'; + *URI_p++ = '%'; if ( analyzer ) analyzer->Weird("double_%_in_URI"); --line; // ignore the first '%' diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log new file mode 100644 index 0000000000..8b2f960d80 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2017-07-28-05-03-01 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 1 GET icir.org /% - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - Fp16kg2g0K5oCDByh2 - text/html +1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 1 GET icir.org /%5 - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - FAjakt4YvddFQlySjk - text/html +#close 2017-07-28-05-03-01 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log new file mode 100644 index 0000000000..df24831d15 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-07-28-05-03-01 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F bro +1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F bro +#close 2017-07-28-05-03-01 diff --git a/testing/btest/Traces/http/percent-end-of-line.pcap b/testing/btest/Traces/http/percent-end-of-line.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4d3854241a1b7d900c13c91790a929cf22889bda GIT binary patch literal 3577 zcmeH|e{2(F7{}k1GPctug8%{od5a)FTzhS4q3cTB*bi2+L4{7)9}te~yY|>|*WF#m z7%|R3ObkB~FySx%&=?}bM2*3JR3S$ z>D%<)_wMsP@AG```Cc9QJ|biT{Ks+Cap|7x;(+g~uU|Y{ zOM7flDN}8>YHpSN zZW`Ad_B=iD2O;a>8b_X+-vj8BL|_Brt8%s@8FwJ@>!b4>O>1C>;df^A(c7Qp=?;4} zH+SCl8AyknreWM~19>e_ag@a!xbP>&9WX3$4+A|qR9ic1Xo!%pcn6V;#KrdrIRt6J zVI|sLo30`;_i07qoZ4C0no{Dr)&%93(Dpb0_rn#F^ zOo7=>bx@LJfe(7TbXlh$N{XTC=>{583?@^Upc^;SE!5}r`1}o2>kkJ59`ACxj)}c0 z@Avw=@b%F)Nn<_g0FR4Ku1OSG2G|B0F!;2wORf_#8CenqLsAuf0B2qpu+Hw18~WCG zJ@s`f_!Z{APyyub5R_C_NU<pBxo zZZp&RnHHu^89_`l-tP%`{Hy7*HkMR1VY!()1C-+KU`onJhv`Z$RCr=OMOoD$l`v)A zm)MhmO^c;(pki9kbY`rPbk!XS1?$~V4<{FKwQOuobjMpkr=1-%-nF(P)=U?xM;9E`q{|M$$}3!i6CjGK*Ty9O3iRT!c4oi|kO7d+6Xt$cx=nhTY4KD=M;gnRMT3!LvNDBu1NIEQFhN!4!Mn*zJ=KGL|V88qaL@P$VKXT}Y2;)zWaJ_DL5G##sE zNWitgRH46AGtJag;dGKa2(1yD4ye%7461PB1fsR+kic6V*mQcID{VRlYUVqdDYUVw zSD}TDwXuUpMPhtX;?fgH{QjE?M3+fyC@1c1A3t?@j59YOadbgN;&h0yzDPV&i1EV% zidj+_pRK?}Hr{qK$1oH_^tV*ed&jV`yVY7J*z)RC#WX z+{L)%y_UEa0)0Q)*zGq8xqa}#+<8(AiL-WBk;7nNIIKk5(4{R%c{ Date: Fri, 28 Jul 2017 09:21:35 -0700 Subject: [PATCH 275/288] Tiny script changes for SSL. log-hostcerts-only relied on old event ordering; the identifier key of validate-certs is now shorter (no function change, just potentially a tiny bit faster). --- .../protocols/ssl/log-hostcerts-only.bro | 23 +++++++++++++++---- .../policy/protocols/ssl/validate-certs.bro | 2 +- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro index f537616e7f..0eb7da29b3 100644 --- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro +++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro @@ -8,7 +8,7 @@ module X509; export { redef record Info += { - # Logging is suppressed if field is set to F + ## Logging of certificate is suppressed if set to F logcert: bool &default=T; }; } @@ -39,14 +39,29 @@ event bro_init() &priority=2 Log::add_filter(X509::LOG, f); } -event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2 +event file_sniff(f: fa_file, meta: fa_metadata) &priority=4 { - if ( ! c?$ssl ) + if ( |f$conns| != 1 ) return; + if ( ! f?$info || ! f$info?$mime_type ) + return; + + if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert" + || f$info$mime_type == "application/pkix-cert" ) ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + local chain: vector of string; - if ( is_orig ) + if ( f$is_orig ) chain = c$ssl$client_cert_chain_fuids; else chain = c$ssl$cert_chain_fuids; diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index c2f4e569a2..352ff4e863 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -189,6 +189,6 @@ hook ssl_finishing(c: connection) &priority=20 local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c, - $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]); + $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]); } } From 3bb05693d9bb09d3b9bedbe6e9d91cb6c3d141ea Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 28 Jul 2017 09:40:58 -0700 Subject: [PATCH 276/288] Add canonifier to catch and release test that should fix test failures. --- .../scripts/base/frameworks/netcontrol/catch-and-release.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro index 4aaaaf6900..c48b3b3551 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT -# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log # @TEST-EXEC: btest-diff netcontrol_catch_release.log @load base/frameworks/netcontrol From a85a2821d7cffe89f395330fcda2b325f4698337 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 28 Jul 2017 10:07:44 -0700 Subject: [PATCH 277/288] Updating submodule(s). [nomail] --- CHANGES | 8 ++++++++ VERSION | 2 +- aux/broctl | 2 +- aux/btest | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 9eddfc4c6d..6cf1b84fd2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,12 @@ +2.5-185 | 2017-07-28 10:07:44 -0700 + + * Improved handling of '%' at end of line in HTTP analyzer. (Johanna + Amann) + + * Add canonifier to catch and release test that should fix test + failures. (Johanna Amann) + 2.5-181 | 2017-07-25 16:02:41 -0700 * Extend plugin infrastructure to catch Bro version mismatches at link diff --git a/VERSION b/VERSION index 260fe8ff40..532039338e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-181 +2.5-185 diff --git a/aux/broctl b/aux/broctl index 97e3f40646..1ab5ed3d3b 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 97e3f40646c1a68ba35bcf6cf30237e1ba0dbe6e +Subproject commit 1ab5ed3d3b0f2a3ff231de77816a697d55abccb8 diff --git a/aux/btest b/aux/btest index e638fc65aa..2810ccee25 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a +Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a From 310ef6974f31ae8e1d5a1480c23cb0198edf67f0 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 28 Jul 2017 12:22:20 -0700 Subject: [PATCH 278/288] Small fix to revert to double-% handling in HTTP back to old behaviour. --- CHANGES | 2 +- VERSION | 2 +- src/analyzer/protocol/http/HTTP.cc | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 6cf1b84fd2..731643588a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ -2.5-185 | 2017-07-28 10:07:44 -0700 +2.5-186 | 2017-07-28 12:22:20 -0700 * Improved handling of '%' at end of line in HTTP analyzer. (Johanna Amann) diff --git a/VERSION b/VERSION index 532039338e..aa91067d4a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-185 +2.5-186 diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index cae14586dd..badf8c1b54 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1865,7 +1865,7 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e // Double '%' might be either due to // software bug, or more likely, an // evasion (e.g. used by Nimda). - *URI_p++ = '%'; + // *URI_p++ = '%'; if ( analyzer ) analyzer->Weird("double_%_in_URI"); --line; // ignore the first '%' From dbac2b1abb9b5ad123092efb5ad058d22188904a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 1 Aug 2017 16:24:44 -0400 Subject: [PATCH 279/288] Addresses BIT-1831 There is apparently some situation where a field wasn't being populated which resulted in a reporter messsage. Thanks to the report from Chris Herdt! --- scripts/base/protocols/ssh/main.bro | 10 ++------ .../btest/Baseline/core.tunnels.gre/ssh.log | 6 ++--- .../scripts.base.protocols.ssh.basic/ssh.log | 24 +++++++++---------- 3 files changed, 17 insertions(+), 23 deletions(-) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index c421116d66..9b21b9414e 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -24,7 +24,7 @@ export { ## at least one, since some servers might support no authentication at all. ## It's important to note that not all of these are failures, since ## some servers require two-factor auth (e.g. password AND pubkey) - auth_attempts: count &log &optional; + auth_attempts: count &log &default=0; ## Direction of the connection. If the client was a local host ## logging into an external host, this would be OUTBOUND. INBOUND ## would be set for the opposite situation. @@ -185,13 +185,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5 return; c$ssh$auth_success = authenticated; - - if ( c$ssh?$auth_attempts ) - c$ssh$auth_attempts += 1; - else - { - c$ssh$auth_attempts = 1; - } + c$ssh$auth_attempts += 1; if ( authenticated && disable_analyzer_after_detection ) disable_analyzer(c$id, c$ssh$analyzer_id); diff --git a/testing/btest/Baseline/core.tunnels.gre/ssh.log b/testing/btest/Baseline/core.tunnels.gre/ssh.log index a3f6d0d738..7ffd15a845 100644 --- a/testing/btest/Baseline/core.tunnels.gre/ssh.log +++ b/testing/btest/Baseline/core.tunnels.gre/ssh.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssh -#open 2016-10-13-19-54-38 +#open 2017-08-01-16-46-22 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key #types time string addr port addr port count bool count enum string string string string string string string string -1055289978.855137 CtPZjS20MLrsMUOJi2 66.59.111.190 40264 172.28.2.3 22 2 - - - SSH-2.0-OpenSSH_3.6.1p1 SSH-1.99-OpenSSH_3.1p1 aes128-cbc hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07 -#close 2016-10-13-19-54-38 +1055289978.855137 CtPZjS20MLrsMUOJi2 66.59.111.190 40264 172.28.2.3 22 2 - 0 - SSH-2.0-OpenSSH_3.6.1p1 SSH-1.99-OpenSSH_3.1p1 aes128-cbc hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07 +#close 2017-08-01-16-46-22 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log index 6af991f2fd..37d33ec57c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log @@ -3,22 +3,22 @@ #empty_field (empty) #unset_field - #path ssh -#open 2016-10-13-19-57-11 +#open 2017-08-01-16-26-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key #types time string addr port addr port count bool count enum string string string string string string string string 1324071333.792887 CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 2 F 2 - SSH-2.0-OpenSSH_5.9 SSH-2.0-OpenSSH_5.8 aes128-ctr hmac-md5 none ecdh-sha2-nistp256 ssh-rsa a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83 1409516196.413240 ClEkJM2Vm5giqnMf4h 10.0.0.18 40184 128.2.6.88 41644 2 T 1 - SSH-2.0-OpenSSH_6.6 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 aes128-ctr hmac-md5 none ecdh-sha2-nistp256 ssh-rsa 8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03 1419870189.489202 C4J4Th3PJpwUYZZ6gc 192.168.2.1 57189 192.168.2.158 22 2 T 3 - SSH-2.0-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 aes128-ctr hmac-md5-etm@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3 -1419870206.111841 CtPZjS20MLrsMUOJi2 192.168.2.1 57191 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1419996264.344957 CUM0KZ3MLUfNB0cl11 192.168.2.1 55179 192.168.2.158 2200 2 - - - SSH-2.0-OpenSSH_6.2 SSH-2.0-paramiko_1.15.2 aes128-ctr hmac-sha1 none diffie-hellman-group14-sha1 ssh-rsa 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5 -1420588548.729561 CmES5u32sYpV7JYN 192.168.2.1 56594 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_5.3 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420590124.885826 CP5puj4I8PtEU4qzYg 192.168.2.1 56821 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420590308.781231 C37jN32gN3y3AZzyf6 192.168.2.1 56837 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420590322.682536 C3eiCBGOLw3VtHfOj 192.168.2.1 56845 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420590636.482711 CwjjYJ2WqgTbAqiHl6 192.168.2.1 56875 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420590659.429570 C0LAHyvtKSQHyJxIl 192.168.2.1 56878 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420591379.658705 CFLRIC3zaTU1loLGxh 192.168.2.1 56940 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1420599430.828441 C9rXSW3KSpTYvPrlI1 192.168.2.1 57831 192.168.2.158 22 1 - - - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1419870206.111841 CtPZjS20MLrsMUOJi2 192.168.2.1 57191 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1419996264.344957 CUM0KZ3MLUfNB0cl11 192.168.2.1 55179 192.168.2.158 2200 2 - 0 - SSH-2.0-OpenSSH_6.2 SSH-2.0-paramiko_1.15.2 aes128-ctr hmac-sha1 none diffie-hellman-group14-sha1 ssh-rsa 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5 +1420588548.729561 CmES5u32sYpV7JYN 192.168.2.1 56594 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_5.3 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420590124.885826 CP5puj4I8PtEU4qzYg 192.168.2.1 56821 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420590308.781231 C37jN32gN3y3AZzyf6 192.168.2.1 56837 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420590322.682536 C3eiCBGOLw3VtHfOj 192.168.2.1 56845 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420590636.482711 CwjjYJ2WqgTbAqiHl6 192.168.2.1 56875 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420590659.429570 C0LAHyvtKSQHyJxIl 192.168.2.1 56878 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420591379.658705 CFLRIC3zaTU1loLGxh 192.168.2.1 56940 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 +1420599430.828441 C9rXSW3KSpTYvPrlI1 192.168.2.1 57831 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 1420851448.310534 Ck51lg1bScffFj34Ri 192.168.2.1 59246 192.168.2.158 22 2 T 2 - SSH-2.0-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 arcfour256 hmac-md5-etm@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3 1420860283.057451 C9mvWx3ezztgzcexV7 192.168.1.32 41164 128.2.10.238 22 2 T 5 - SSH-2.0-OpenSSH_6.6p1-hpn14v4 SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301 aes128-cbc hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee 1420860616.428738 CNnMIj2QSd84NKf7U3 192.168.1.32 33910 128.2.13.133 22 2 T 1 - SSH-2.0-OpenSSH_6.6p1-hpn14v4 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04 @@ -28,4 +28,4 @@ 1421041177.031508 CLNN1k2QMum1aexUK7 192.168.1.32 58641 131.103.20.168 22 2 F 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 1421041299.777962 CBA8792iHmnhPLksKa 192.168.1.32 58646 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 1421041526.353524 CGLPPc35OzDQij1XX8 192.168.1.32 58649 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 -#close 2016-10-13-19-57-11 +#close 2017-08-01-16-26-21 From 7242aada0c3f25ac2e24f2289a9d3e4b1b4cbfab Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 1 Aug 2017 15:54:26 -0500 Subject: [PATCH 280/288] Update install instructions for Fedora 26 --- doc/install/install.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/install/install.rst b/doc/install/install.rst index e7ff45b4fe..4c43ee9c73 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -54,6 +54,9 @@ To install the required dependencies, you can use: sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel + In order to build Bro on Fedora 26, install ``compat-openssl10-devel`` instead + of ``openssl-devel``. + * DEB/Debian-based Linux: .. console:: From d5678418da92f9efd59c36189bd67b9349adc8e0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 1 Aug 2017 16:29:16 -0700 Subject: [PATCH 281/288] SSL SCT/OCSP: small fixes by robin; mostly update comments. SetMime now only works on the first call (as it was documented) and unused code was used from one of the x.509 functions. --- src/file_analysis/File.cc | 2 +- src/file_analysis/File.h | 6 ++++-- src/file_analysis/Manager.cc | 6 ++++++ src/file_analysis/Manager.h | 3 ++- src/file_analysis/analyzer/x509/OCSP.cc | 3 +++ src/file_analysis/analyzer/x509/X509.cc | 5 ++++- src/file_analysis/analyzer/x509/functions.bif | 9 +++------ 7 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 2d9017a338..46624e23c0 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -294,7 +294,7 @@ void File::SetReassemblyBuffer(uint64 max) bool File::SetMime(const string& mime_type) { - if ( mime_type.empty() || bof_buffer.size != 0 ) + if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference ) return false; did_metadata_inference = true; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index c52d9efbc4..1d4fb03789 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -176,8 +176,10 @@ public: * Sets the MIME type for a file to a specific value. * * Setting the MIME type has to be done before the MIME type is - * inferred from the content. After a MIME type has been set once, - * it cannot be changed anymore. + * inferred from the content, and before any data is passed to the + * analyzer (the beginning of file buffer has to be empty). After + * data has been sent or a MIME type has been set once, it cannot be + * changed. * * This function should only be called when it does not make sense * to perform automated MIME type detections. This is e.g. the case diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 3140a1e9db..1659230bff 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -118,6 +118,12 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, if ( ! file ) return ""; + // This only has any effect when + // * called for the first time for a file + // * being called before file->DataIn is called for the first time (before data is + // added to the bof buffer). + // Afterwards SetMime just ignores what is passed to it. Thus this only has effect during + // the first Manager::DataIn call for each file. if ( ! mime_type.empty() ) file->SetMime(mime_type); diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d4ab6c8dfc..ce39b8144c 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -98,7 +98,8 @@ public: * certificates are passed as files; here the type of the file is set by * the protocol. If this parameter is give, mime type detection will be * disabled. - * This parameter is only used for the first bit of data for each file. + * This parameter only has any effect for the first DataIn call of each + * file. It is ignored for all subsequent calls. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 6ce51f9dd3..3770b5692c 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -344,6 +344,9 @@ clean_up: void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. #ifdef NID_ct_cert_scts if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts ) #else diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index b26bd4a1da..2999007146 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -240,7 +240,10 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); -#ifdef NID_ct_cert_scts +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. +#ifdef NID_ct_precert_scts else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e3fcb0ce11..a4901b31e5 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -624,6 +624,9 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa { x = X509_dup(x); assert(x); +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. #ifdef NID_ct_precert_scts int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); if ( pos < 0 ) @@ -778,12 +781,6 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha int res = 0; - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509); - if ( key == 0 ) - { - printf("No key in X509_get0_pubkey_bitstr\n"); - } - if ( type == 0 ) res = X509_NAME_digest(subject_name, dgst, md, &len); else if ( type == 1 ) From 6ba710fbf79475b46b8c19a45d6986080018a0ce Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 4 Aug 2017 15:04:13 -0700 Subject: [PATCH 282/288] Updating CHANGES, NEWS, and VERSION. --- CHANGES | 42 ++++++++++++++++++++++++++++++++++++++++++ NEWS | 26 ++++++++++++++++++++++++++ VERSION | 2 +- 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 731643588a..86c4162f08 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,46 @@ +2.5-288 | 2017-08-04 14:17:10 -0700 + + * Fix field not being populated, which resulted in a reporter + messsage. Addresses BIT-1831. Reported by Chris Herdt. (Seth Hall) + + * Support for OCSP and Signed Certificate Timestamp. (Liang + Zhu/Johanna Amann) + + - OCSP parsing is added to the X.509 module. + + - Signed Certificate Timestamp extraction, parsing, & validation + is added to the SSL, X.509, and OCSP analyzers. Validation is + added to the X.509 BIFs. + + This adds the following events and BIFs: + + - event ocsp_request(f: fa_file, version: count, requestorName: string); + - event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string); + - event ocsp_response_status(f: fa_file, status: string); + - event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector); + - event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time); + - event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool); + - event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string); + - event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string); + - function sct_verify(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""): bool + - function x509_subject_name_hash(cert: opaque of x509, hash_alg: count): string + - function x509_issuer_name_hash(cert: opaque of x509, hash_alg: count): string + - function x509_spki_hash(cert: opaque of x509, hash_alg: count): string + + This also changes the MIME types that we use to identify X.509 + certificates in SSL connections from "application/pkix-cert" to + "application/x-x509-user-cert" for host certificates and + "application/x-x509-ca-cert" for CA certificates. + + * The SSL scripts provide a new hook "ssl_finishing(c: connection)" + to trigger actions after the handshake has concluded. (Johanna + Amann) + + * Add an internal API for protocol analyzers to provide the MIME + type of file data directly, disabling automatic inferrence. + (Johanna Amann). + 2.5-186 | 2017-07-28 12:22:20 -0700 * Improved handling of '%' at end of line in HTTP analyzer. (Johanna diff --git a/NEWS b/NEWS index a884f4fe5a..6d35a8978b 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,32 @@ their own ``CHANGES``.) Bro 2.6 (in progress) ===================== +New Functionality +----------------- + +- Support for OCSP and Signed Certificate Timestamp. This adds the + following events and BIFs: + + - Events: ocsp_request, ocsp_request_certificate, + ocsp_response_status, ocsp_response_bytes + ocsp_response_certificate ocsp_extension + x509_ocsp_ext_signed_certificate_timestamp + ssl_extension_signed_certificate_timestamp + + - Functions: sct_verify, x509_subject_name_hash, + x509_issuer_name_hash x509_spki_hash + +- The SSL scripts provide a new hook "ssl_finishing(c: connection)" + to trigger actions after the handshake has concluded. + +Changed Functionality +--------------------- + +- The MIME types used to identify X.509 certificates in SSL + connections changed from "application/pkix-cert" to + "application/x-x509-user-cert" for host certificates and + "application/x-x509-ca-cert" for CA certificates. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index aa91067d4a..4c6456e664 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-186 +2.5-288 From c251245538169c0e1053065e59c60e6bc4d995d4 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 7 Aug 2017 16:10:46 -0500 Subject: [PATCH 283/288] Fix a netcontrol test that often fails The catch-and-release.bro test was failing whenever three conditions were all true: sorting the netcontrol.log before comparing to the baseline, the presence of LC_ALL=C in btest.cfg changes the sort order, and sometimes the timestamp increases slightly beginning with one of the rule_id == 5 lines. As a result of these three conditions, the sorted order of the lines with rule_id of 5 were different than the baseline. Fixed by not sorting netcontrol.log, as this doesn't seem necessary. --- .../scripts/base/frameworks/netcontrol/catch-and-release.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro index c48b3b3551..29c56c2535 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT -# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log # @TEST-EXEC: btest-diff netcontrol_catch_release.log @load base/frameworks/netcontrol From 712780079191d0decf83a8e8c268e8da34d7248d Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 10 Aug 2017 12:47:14 -0500 Subject: [PATCH 284/288] Fix the expire-redef.bro test The expire-redef.bro test was sometimes failing due to the second "Run" message being printed after (should happen before) the "Expired" message. Fixed by increasing the time interval between events. Also reduced the number of events raised to make the test finish more quickly. --- testing/btest/Baseline/language.expire-redef/output | 2 -- testing/btest/language/expire-redef.bro | 10 +++++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output index d5a745e7f3..42bb1b485c 100644 --- a/testing/btest/Baseline/language.expire-redef/output +++ b/testing/btest/Baseline/language.expire-redef/output @@ -1,5 +1,3 @@ -Run 0 Run 1 Expired: 0 --> some data Run 2 -Run 3 diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro index 6bf43ae98a..5cbb00f313 100644 --- a/testing/btest/language/expire-redef.bro +++ b/testing/btest/language/expire-redef.bro @@ -9,16 +9,16 @@ global expired: function(tbl: table[int] of string, idx: int): interval; global data: table[int] of string &write_expire=exp_val &expire_func=expired; redef table_expire_interval = 1sec; -redef exp_val = 5sec; +redef exp_val = 6sec; global runs = 0; event do_it() { + ++runs; print fmt("Run %s", runs); - ++runs; - if ( runs < 4 ) - schedule 2sec { do_it() }; + if ( runs < 2 ) + schedule 4sec { do_it() }; else terminate(); } @@ -33,5 +33,5 @@ function expired(tbl: table[int] of string, idx: int): interval event bro_init() &priority=-10 { data[0] = "some data"; - schedule 2sec { do_it() }; + schedule 4sec { do_it() }; } From fcd735cecd05899cb1115e23ca7718952e5e860b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 11 Aug 2017 13:51:49 -0500 Subject: [PATCH 285/288] Fix core.truncation unit test on macOS. The pcap file format has a global header and a header per packet. The global header of the pcap in question had a snaplen of 1, but with packet headers indicating the full number of bytes saved within the file. It seems like the pcap file must of been artifically edited in order for it to be this way. When reporting the captured length of a packet, Apple's version of libpcap now seems to report the full number of bytes saved within the pcap's per-packet headers, but other versions seem to report the snaplen from the global pcap header. This caused the core.truncation test to behave differently on macOS from other platforms. I've manually hexedit'd the pcap so that the snaplen is still 1, but contains just a single packet with a pcap header indicating a length of 8, which is less than the size of the link layer header and so should still test the original code path that the unit test intended to exercise. --- CHANGES | 8 ++++++++ VERSION | 2 +- testing/btest/Traces/trunc/trunc-hdr.pcap | Bin 6435 -> 49 bytes 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 86c4162f08..a1b2729cf4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,12 @@ +2.5-294 | 2017-08-11 13:51:49 -0500 + + * Fix core.truncation unit test on macOS. (Jon Siwek) + + * Fix a netcontrol test that often fails (Daniel Thayer) + + * Update install instructions for Fedora 26 (Daniel Thayer) + 2.5-288 | 2017-08-04 14:17:10 -0700 * Fix field not being populated, which resulted in a reporter diff --git a/VERSION b/VERSION index 4c6456e664..303202a260 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-288 +2.5-294 diff --git a/testing/btest/Traces/trunc/trunc-hdr.pcap b/testing/btest/Traces/trunc/trunc-hdr.pcap index 0ab12ee6c78e1c88093333c6638359514c28c750..689128f2bb5db52f0b06d74f641fa534b5bb3530 100644 GIT binary patch delta 23 dcmZ2%WH>=Vkb{AN!4HTT)H~nRMi@{U&?H0U
y`HkP}%lL>0@cYW|9t?Gi zUm`?RccEAScBX)@XAngLiU6CFQ4o0@_3xo%3Q%YkAaET33U~y(fPX*5BlVZM8a`f= z91!!2)tX~_89CtX>tLL`HuuPX%;=>m3Q&%0o*Yk{r_PfGroaSbfOMWTj|dDw3Qv|N z%2Vb|2MU17ljPxnIFHH`j)NSz0trCC0|W=efdK@O0+K)pu8{!^ZWf266#3gl;E(bUga|>X z&>nCQKpIdWmnFr-?0f*NuQuf?UqXx;PV6Hz5Yw|jBb+O zna7s<@4$o(RXONF0q;e%lvaxb<0 zWcJ)Ur_^nllL2kSq=nTU9BMCXl|4XR$qnX{LRkXs*g_jzghz&I6?2s8R*ID^(FnYA zdL(%3>!lV49#^`Bkp_L6-pYgko(urfMiD517vf`r69_KBl;|CXg;o=@Ase zn`jOz#E<1i_wWf0^z-2ahKA7HSm9BuaJrQxIzv$s{%3%iqWs|vUyV=$29v?W-n~&S zBEe8Wr(?L%WI31cz$hOMi|!mA;1d!U%LijnQ5j;N4hbP3T;o~r+6npgk{DZ@2MJ(OXxm$E2T@+{s? zzmJ?9Ivu?CtQ~RBV)=Dx|AgMJ9_)7rQGLC2M(!<{UUOH5@)r-I->ZWT;EG(;cHXpg z4AeXoSKFX(WWSv4EH#+(?8=?j`)k^+47;okS~cRo@b;}O3dLL#86bUarJpBf$(s@U zn(}RORoVUioPuh?Z5IzwDe)4c3yGk;JBxR@aIzS~%$1ki%TuVw8)s zLsg;hR5S=QR3TArew#~aM{&jLw~p(?S#4_VA3k(Qqbk@2DS`q)jthd_zN^ zv2w_p4%Ch_dSWN8ekC^3O1i?OoF%&j`4VA)(N+ZZ9fq=&miv>*lLQp{ENTSeA zi9``R^7RQ9|MM}2&Eae`)7SS651u=Y+0YI85o{l(9xF;O0^TsoaJ>M=9JmKHC}tL; zY2*GH9Zdw^4nE;8*4MulVJy=L=J0YFlf>4g*&}Hq!8in+jcN-y#UTpH7%vf!8NNT@ zj6=0@aYK{RN5+naAcS}{7M&^l6-Cl$W5)>fjo3Kh7^v&lT_S0=!o&Jto+e_#Mt$Mc z!CZ~d(|mI@0zYGA35CGnUsM$;rU4uZCb>O47xVJ6y5qh4x8SclWy~5|=_`xt5JrsP ze_)b=02|er=l+&^zIoP_pwFDyp?A9Ko;(~`NSYPz#A5ai`%#v*7C$|y(NK#jSA!3k zE%+0OcXY0*A2e(T^6gOB)8khZDY9*eyIB7h^#!MBgr}%@(Kcr* zZcJ^TSya63o_kYI{vQv)FF~`D9ktgyIH^p2iep=6>_cZ5cFzCp)NhQ8H@z<=hq&Vx z0@wHN<7PI3#K;@koEhA5MIIk>metgS_cV8>d2q!+{87}SD%3+!9{MhywLL*9$&=K922XUP!YIVgkN8mt^OQnIIUyEp>nlrh zbD=DJhhDTtt1mT%g+*pWycIx*Z`b`;dQB!G3Xo*74mAf0(`^ zS5|`bHv!sdsaZRGI~%GjOnTbhy(}ft&dy)Zl&{EqNz3~5hJ4gdE%kR1ib17ohK?%x zKxqwrc^Zk!u-DbH4uf^TV99s|dkb82t z>FZDS-u3IqbAK^%YMM*%@&=i~5ywHwxdf@9I~R5+Y?XDt$MZ3GJ^WDbWn=m;Y1{9q zJ*{*iZ+&R0sn|7qH#hYjL2Y9}Xz1vwdXpzMzk96E-l8mNx#D=;S*>$bPe0A>SJQ}` zR-tzw%`ofWrkaR~d%1c~-;xVnUt0R>7DZlIq3)wMA1T^ObI061;s67o4JwOyEB^IH zMqyToIo#zVLWhf_{foneS;rHyL-pMGjFMpTtxjV?khiWd~mOEVKXtMFi901#wH zUpFG+lk=NWjPW;_HO>2zraA6fYHqtf^`GRDkA+!>Z%D2=GyfJLI$KUIj(PAZ zIJ&B_=8*e#Zx8kn^^NnA!tNK8*_aPK8!lPabv5qS7olWM-`P%*=;Mp&k})nja}LnV zcVdx19!7!$ykL%%fy^HaQ>+BViaC5(OCweXNVrX`1ClcN5rPKZjp_m5rS-;8n|eZX z%boYJFjGgm6@b(On7-VFM%*TjfMPCk13osB!~|IZ3gadh`43#GL6ZtgVAAqE?b4)~ zFp))#=Ax*Hp#hdSN1$P-11e@q)RDr&x&jd79EQ$k(k@1k@|qr5=&{Yi)<1ooHXh9a z2s5OqRYD?|LZMh@Y{?iMS3f|rLBQ=I%HGVti0L*sxeSZc{;u6i<(dQT62=v{UrW;s zQM#{78>^3su(M-Dy3bZCZTP%{x^Tg@FOM#rGZF2Z{Yqwpdv6x+=1%YFrexKqdF-1m z39VO4XsI&>0v;at@L<38mLX}^8+%g*$S+ObzCG3{6@9VnpPmy63i5GAg@ax3FSq2+ zJ+*2m_nxO!`bxXNBLRJH88Z5hQT}Vyub4w&Xzw9{JpGMC)x8mJtH0I>G1G|;$j%I1{IzPu|+CYcqObPeZTzNf? zQ@OcnMMQjEoPtxH!JS-Lr^`=A2Atpdp7pM85=*_A@HqEm$MJ&+Vejs~vcBjVLg!TM zGO;}`n*J($*6$jrcEOE@Hh%uS$05q?*=b(a+8{@9XPG?bqMKHr>`BwY0F$M5Lv}A; zi|?T2G|xXb=jFLr^Q-gM^i1sD5$uh1l8m9|Ii%pxzB4}A-|N=n*~87PtK zjEZ8eEb5NcTbaUi*q75EbeZK=e?;3F^eHBLuKAZb*v|G=&4tGSbn32*Itc}nrH{l~ zVv4Yi1wm@80$&Vorjqcg1;JBU;4fv;PhWxi&<~Yuop_DZOLK z{epyByC_Z{BfPZFyWKEbtt?tloo)VEtn4;^G^}}*$qVb>=(iON)ZX=XnV=EShx*s*}u7&dRQ{O*MtFj<;~0U!rUPHawYl_8{-Cd?N~o(Do_ zsK)P=rL;ZJ3=ejJ&hUJ--~h+rL5{-ASr-)lQNB`tQzYeH`ohphhHD7h?#El_*3_n) zNl=e*oWCdEX*bUALs4wSJi@0hNl2&Sv5SY(%?^zodoE(fx(a&b3(Zzt4BO{H&&fJ| zLm{zX!L8f>jf3OMih}$7J*>FV{`}b`t%bR7@5D+RwKwg5P+NNYL(CzA>&cru+Whxe zfJHl|v+ss)>v=n%ZS=S1$E~_6v&D2%Ru|{s;%~R_ZYtikx+h|vP*56RrdFZ)HHz2f zH(hVmQ&njm*Ou=LH9)eqTvOB;&i?WEvc|neDpGvF50haIl%de7iBl}8&;r^3yZ~6M zQDBc)Gc!E6uPn6++T)-w#idmcfjcxJY)-KxI|k=_mNbR}Es0$YfFl0hgn@u*F@L$Z z*R8t+_O-nWdsG1$U_-6}!cW#TIQi-drfDfTp`ry%(bOu)={8K!mx3^S1SIi>G*50` zY<`4iJ-3&5iDGPS6p+Ncxx3u|M90<(ylZ7a_xxT-ghUUxcSqw)Zb;ZW-r!tisBH=&rBjz|^x?wOr+&C2@2@gE!4scoq)4v+{U^ z0!}|#w^OF!z1JhD*4__)4}B>eKIi5bfDwp+1je-;u~uQ0Fhu~`EzNuac@u?|=E^4^ z1Ku^1VLHSHhSd$Rgyu0tvD&9+Pgbl2W*%4tWDL#Yz0f?Kb`hTc7)9E4G78_wFcepa z^0kiY`zbHa2F6fICYb8asiIce8*4}q)C%i%D=1psBu?I l1ygB_)g+a=VM=s?&P`$!_Jj=#OZjJ5+FCRCSd0E0>wgL>%KZQU From 8741d6323a0ba0c30a2837223bc9650bdcad4505 Mon Sep 17 00:00:00 2001 From: Alan Date: Mon, 28 Aug 2017 14:20:37 -0500 Subject: [PATCH 286/288] Fixed typo --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a1b2729cf4..d6f7125f33 100644 --- a/CHANGES +++ b/CHANGES @@ -850,7 +850,7 @@ 2.4-683 | 2016-07-08 14:55:04 -0700 - * Extendign connection history field to flag with '^' when Bro flips + * Extending connection history field to flag with '^' when Bro flips a connection's endpoints. Addresses BIT-1629. (Robin Sommer) 2.4-680 | 2016-07-06 09:18:21 -0700 From e1997144c2cb7bdca4f6079e1fe4228c1c380609 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 11 Sep 2017 09:26:33 -0700 Subject: [PATCH 287/288] Fix small OCSP parser bug. It turns out that the serial number field in all events was never populated correctly. Instead, the previous field (issuer key hash) was re-read and repeated in all events. --- src/file_analysis/analyzer/x509/OCSP.cc | 1 + .../.stdout | 2 +- .../ocsp.log | 6 +++--- .../.stdout | 2 +- .../.stdout | 4 ++-- .../ocsp.log | 6 +++--- .../.stdout | 2 +- .../ocsp.log | 6 +++--- .../.stdout | 16 ++++++++-------- .../ocsp.log | 12 ++++++------ 10 files changed, 29 insertions(+), 28 deletions(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 2b3d9f5fd2..02c9274999 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -71,6 +71,7 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio) BIO_reset(bio); i2a_ASN1_INTEGER(bio, cert_id->serialNumber); + len = BIO_read(bio, buf, sizeof(buf)); vl->append(new StringVal(len, buf)); BIO_reset(bio); } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout index 4678baf15d..45bec12af2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout @@ -1,3 +1,3 @@ ocsp_response_status, successful -ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0 +ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 3D474496FF942316, good, 0.0, , 1436577056.0, 1437181856.0 ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index bdb8384676..3c092fce95 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-10-23-35-49 +#open 2017-09-11-16-24-17 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F good - - 1436577056.000000 1437181856.000000 -#close 2017-02-10-23-35-50 +1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 good - - 1436577056.000000 1437181856.000000 +#close 2017-09-11-16-24-17 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout index ca94887c05..293ea05c75 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout @@ -1,2 +1,2 @@ request, 0, -request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout index 3996bbd84f..0f3ad8f536 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout @@ -1,5 +1,5 @@ request, 0, -request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9 ocsp_response_status, successful -ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0 ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index 3707e84c48..a2ea3b6893 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-11-00-00-41 +#open 2017-09-11-16-24-41 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 -#close 2017-02-11-00-00-41 +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 good - - 1434665014.000000 1434794614.000000 +#close 2017-09-11-16-24-41 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout index 230e80b4cd..7ca240f05c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout @@ -1,3 +1,3 @@ ocsp_response_status, successful -ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0 ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index e897453b5c..306819f251 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-11-00-00-52 +#open 2017-09-11-16-24-53 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 -#close 2017-02-11-00-00-52 +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 good - - 1434665014.000000 1434794614.000000 +#close 2017-09-11-16-24-53 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout index 545f761acc..5e444491b2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout @@ -1,20 +1,20 @@ request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87 ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4 ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index 58b226320d..387342197a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-11-00-00-56 +#open 2017-09-11-16-25-05 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000 -1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000 -1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000 -1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000 -#close 2017-02-11-00-00-56 +1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000 +1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000 +1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000 +1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000 +#close 2017-09-11-16-25-05 From 1a6b6f2586556ca0fdaee2dbae6a04936cda08dd Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 11 Sep 2017 21:02:07 -0500 Subject: [PATCH 288/288] Updating CHANGES and VERSION. --- CHANGES | 7 +++++++ VERSION | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a1b2729cf4..2bd08b9cf1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.5-297 | 2017-09-11 09:26:33 -0700 + + * Fix small OCSP parser bug; serial numbers were not passed to events + (Johanna Amann) + + * Fix expire-redef.bro test. (Daniel Thayer) + 2.5-294 | 2017-08-11 13:51:49 -0500 * Fix core.truncation unit test on macOS. (Jon Siwek) diff --git a/VERSION b/VERSION index 303202a260..a5ed34e608 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-294 +2.5-297