Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

OCSP: split into two analysers in scriptland.

Browse source 
Instead of having an additional string argument specifying if we are
sending a request or a reply, we now have an ANALYZER_OCSP_REQUEST and
an ANALYZER_OCSP_REPLY
This commit is contained in:
Johanna Amann 2017-02-09 16:14:08 -08:00
parent e1bcc4509f
commit 1b19ab78b6
4 changed files with 19 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/files/x509/ocsp.bro
View file

@ -13,7 +13,7 @@ export {
ocsp_type: string &optional; ocsp_type: string &optional;
}; };
## ocsp logging ## ocsp logging
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
## type for pending ocsp request ## type for pending ocsp request
@ -23,7 +23,7 @@ export {
## one ocsp request record ## one ocsp request record
type Info_req: record { type Info_req: record {
## time for the request ## time for the request
ts: time; ts: time;
## file id for this request or ## file id for this request or
## hash of the GET url if it's GET request ## hash of the GET url if it's GET request
id: string &log &optional; id: string &log &optional;

29
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -74,21 +74,19 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
BIO_reset(bio); BIO_reset(bio);
} }
file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
{ {
Val* ocsp_type = get_ocsp_type(args, "ocsp_type"); return new OCSP(args, file, true);
if (! ocsp_type )
return 0;
return new OCSP(args, file, ocsp_type->AsString()->CheckString());
} }
file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type) file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file) {
return new OCSP(args, file, false);
}
file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
{ {
ocsp_type = arg_ocsp_type;
ocsp_data.clear();
} }
bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len) bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
@ -108,7 +106,7 @@ bool file_analysis::OCSP::EndOfFile()
{ {
const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data()); const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
if (ocsp_type == "request") if ( request )
{ {
OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
@ -121,7 +119,7 @@ bool file_analysis::OCSP::EndOfFile()
ParseRequest(req, GetFile()->GetID().c_str()); ParseRequest(req, GetFile()->GetID().c_str());
OCSP_REQUEST_free(req); OCSP_REQUEST_free(req);
} }
else if (ocsp_type == "response") else
{ {
OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
if (!resp) if (!resp)
@ -134,11 +132,6 @@ bool file_analysis::OCSP::EndOfFile()
ParseResponse(resp_val, GetFile()->GetID().c_str()); ParseResponse(resp_val, GetFile()->GetID().c_str());
Unref(resp_val); Unref(resp_val);
} }
else
{
reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str()));
return false;
}
return true; return true;
} }

8
src/file_analysis/analyzer/x509/OCSP.h
View file

@ -23,18 +23,18 @@ public:
virtual bool Undelivered(uint64 offset, uint64 len); virtual bool Undelivered(uint64 offset, uint64 len);
virtual bool EndOfFile(); virtual bool EndOfFile();
static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
protected: protected:
OCSP(RecordVal* args, File* file, const string& ocsp_type); OCSP(RecordVal* args, File* file, bool request);
private: private:
void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
void ParseRequest(OCSP_REQUEST *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
std::string ocsp_data; std::string ocsp_data;
std::string ocsp_type; bool request = false; // true if ocsp request, false if reply
}; };
class OCSP_RESPVal: public OpaqueVal { class OCSP_RESPVal: public OpaqueVal {

3
src/file_analysis/analyzer/x509/Plugin.cc
View file

@ -14,7 +14,8 @@ public:
plugin::Configuration Configure() plugin::Configuration Configure()
{ {
AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
plugin::Configuration config; plugin::Configuration config;
config.name = "Bro::X509"; config.name = "Bro::X509";