More script tuning

- Moved some of the weird events back to the base/ directory. - Fixed more bugs with SSL certificate handling.
2025-10-02 06:38:20 +00:00 · 2011-10-04 17:06:45 -04:00 · 2011-10-04 17:06:45 -04:00 · 26290bb56c
commit 26290bb56c
parent dc47203cd7
4 changed files with 22 additions and 21 deletions
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@ -377,6 +377,21 @@ function report_weird_orig(t: time, name: string, id: string, orig: addr)
 	report_weird(t, name, id, F, "", action, no_log);
 	}
 	
+event conn_weird(name: string, c: connection, addl: string)
+	{
+	report_weird_conn(network_time(), name, id_string(c$id), addl, c);
+	}
+
+event flow_weird(name: string, src: addr, dst: addr)
+	{
+	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
+	}
+
+event net_weird(name: string)
+	{
+	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
+	}
+
 event connection_state_remove(c: connection)
 	{
 	delete weird_ignore[id_string(c$id)];
--- a/scripts/policy/protocols/conn/weirds.bro
+++ b/scripts/policy/protocols/conn/weirds.bro
@ -18,21 +18,6 @@ export {
 	};
 }

-event conn_weird(name: string, c: connection, addl: string)
-	{
-	report_weird_conn(network_time(), name, id_string(c$id), addl, c);
-	}
-
-event flow_weird(name: string, src: addr, dst: addr)
-	{
-	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
-	}
-
-event net_weird(name: string)
-	{
-	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
-	}
-
 event rexmit_inconsistency(c: connection, t1: string, t2: string)
 	{
 	if ( c$id !in did_inconsistency_msg )
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@ -36,7 +36,9 @@ export {
 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
 	{
 	# If this isn't the host cert or we aren't interested in the server, just return.
-	if ( ! c$ssl?$cert_hash || ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
+	if ( chain_idx != 0 ||
+		 ! c$ssl?$cert_hash || 
+		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;
 	
 	if ( cert$not_valid_before > network_time() )
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@ -46,17 +46,16 @@ event bro_init() &priority=5

 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
 	{
-	# We aren't tracking client certificates yet.
-	if ( ! c$ssl?$cert_hash ) return;
+	# Make sure this is the server cert and we have a hash for it.
+	if ( chain_idx == 0 && ! c$ssl?$cert_hash ) return;
 	
 	local host = c$id$resp_h;
 	if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
 		{
-		add certs[host, cert$serial];
+		add certs[host, c$ssl$cert_hash];
 		Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
 		                              $port_num=c$id$resp_p, $subject=cert$subject,
 		                              $issuer_subject=cert$issuer,
-		                              $serial=cert$serial,
-		                              $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$cert_hash)]);
+		                              $serial=cert$serial]);
 		}
 	}