Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

More script tuning

Browse source 
- Moved some of the weird events back to the base/ directory.

- Fixed more bugs with SSL certificate handling.
This commit is contained in:
Seth Hall 2011-10-04 17:06:45 -04:00
parent dc47203cd7
commit 26290bb56c
4 changed files with 22 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

15
scripts/base/frameworks/notice/weird.bro
View file

@ -376,6 +376,21 @@ function report_weird_orig(t: time, name: string, id: string, orig: addr)
report_weird(t, name, id, F, "", action, no_log); report_weird(t, name, id, F, "", action, no_log);
} }
event conn_weird(name: string, c: connection, addl: string)
{
report_weird_conn(network_time(), name, id_string(c$id), addl, c);
}
event flow_weird(name: string, src: addr, dst: addr)
{
report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
}
event net_weird(name: string)
{
report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
}
event connection_state_remove(c: connection) event connection_state_remove(c: connection)
{ {

15
scripts/policy/protocols/conn/weirds.bro
View file

@ -18,21 +18,6 @@ export {
}; };
} }
event conn_weird(name: string, c: connection, addl: string)
{
report_weird_conn(network_time(), name, id_string(c$id), addl, c);
}
event flow_weird(name: string, src: addr, dst: addr)
{
report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
}
event net_weird(name: string)
{
report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
}
event rexmit_inconsistency(c: connection, t1: string, t2: string) event rexmit_inconsistency(c: connection, t1: string, t2: string)
{ {
if ( c$id !in did_inconsistency_msg ) if ( c$id !in did_inconsistency_msg )

4
scripts/policy/protocols/ssl/expiring-certs.bro
View file

@ -36,7 +36,9 @@ export {
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{ {
# If this isn't the host cert or we aren't interested in the server, just return. # If this isn't the host cert or we aren't interested in the server, just return.
if ( ! c$ssl?$cert_hash || ! addr_matches_host(c$id$resp_h, notify_certs_expiration) ) if ( chain_idx != 0 ||
! c$ssl?$cert_hash ||
! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
return; return;
if ( cert$not_valid_before > network_time() ) if ( cert$not_valid_before > network_time() )

9
scripts/policy/protocols/ssl/known-certs.bro
View file

@ -46,17 +46,16 @@ event bro_init() &priority=5
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{ {
# We aren't tracking client certificates yet. # Make sure this is the server cert and we have a hash for it.
if ( ! c$ssl?$cert_hash ) return; if ( chain_idx == 0 && ! c$ssl?$cert_hash ) return;
local host = c$id$resp_h; local host = c$id$resp_h;
if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) ) if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
{ {
add certs[host, cert$serial]; add certs[host, c$ssl$cert_hash];
Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host, Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
$port_num=c$id$resp_p, $subject=cert$subject, $port_num=c$id$resp_p, $subject=cert$subject,
$issuer_subject=cert$issuer, $issuer_subject=cert$issuer,
$serial=cert$serial, $serial=cert$serial]);
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$cert_hash)]);
} }
} }