Deprecate extract-certs-pem.zeek and add log-certs-base64.zeek

Extract-certs-pem writes pem files to a dedicated file; since it does not really work in cluster-environments it was never super helpful. This commit deprecates this file and, instead, adds log-certs-base64.zeek, which adds the base64-encoded certificate (which is basically equivalent with a PEM) to the log-file. Since, nowadays, the log-files are deduplicates this should not add a huge overhead.
2025-10-02 06:38:20 +00:00 · 2021-06-28 16:09:27 +01:00 · 2021-06-28 16:09:27 +01:00 · 279a060fae
commit 279a060fae
parent dde1e2e77e
7 changed files with 44 additions and 1 deletions
--- a/scripts/policy/protocols/ssl/log-certs-base64.zeek
+++ b/scripts/policy/protocols/ssl/log-certs-base64.zeek
@ -0,0 +1,19 @@
+##! This script is used to extract certificates seen on the wire to Zeek log files.
+##! The certificates are base64-encoded and written to ssl.log, to the newly added cert
+##! field.
+
+@load base/protocols/ssl
+@load base/files/x509
+
+redef record X509::Info += {
+	## Base64 endoded X.509 certificate.
+	cert: string &log &optional;
+};
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=1
+	{
+	if ( ! f$info?$x509 )
+		return;
+
+	f$info$x509$cert = encode_base64(x509_get_certificate_string(cert_ref));
+	}