mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Finishing touches of the x509 file analyzer.
Mostly baseline updates and new tests. addresses BIT-953, BIT-760, BIT-1150
This commit is contained in:
Bernhard Amann
parent
74d728656d
commit
4da0718511
44 changed files with 712 additions and 148 deletions
|
|
@ -2764,8 +2764,6 @@ export {
|
|||
key_length: count &optional; ##< key-length in bits
|
||||
exponent: string &optional; ##< exponent, if RSA-certificate
|
||||
curve: string &optional; ##< curve, if EC-certificate
|
||||
#ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
|
||||
#path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
|
||||
} &log;
|
||||
|
||||
type Extension: record {
|
||||
|
|
|
|||
|
|
@ -38,9 +38,6 @@
|
|||
@load base/frameworks/sumstats
|
||||
@load base/frameworks/tunnels
|
||||
|
||||
# needed for the SSL protocol
|
||||
@load base/files/x509
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dhcp
|
||||
@load base/protocols/dnp3
|
||||
|
|
@ -60,6 +57,7 @@
|
|||
@load base/files/hash
|
||||
@load base/files/extract
|
||||
@load base/files/unified2
|
||||
@load base/files/x509
|
||||
|
||||
@load base/misc/find-checksum-offloading
|
||||
@load base/misc/find-filtered-trace
|
||||
|
|
|
|||
|
|
@ -70,8 +70,7 @@ function get_file_handle(c: connection, is_orig: bool): string
|
|||
|
||||
function describe_file(f: fa_file): string
|
||||
{
|
||||
# This shouldn't be needed, but just in case...
|
||||
if ( f$source != "SSL" )
|
||||
if ( f$source != "SSL" || ! f?$info || ! f$info?$x509 || ! f$info$x509?$certificate )
|
||||
return "";
|
||||
|
||||
# It is difficult to reliably describe a certificate - especially since
|
||||
|
|
@ -88,7 +87,9 @@ function describe_file(f: fa_file): string
|
|||
}
|
||||
}
|
||||
|
||||
return "";
|
||||
return cat("Serial: ", f$info$x509$certificate$serial, " Subject: ",
|
||||
f$info$x509$certificate$subject, " Issuer: ",
|
||||
f$info$x509$certificate$issuer);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
|
|
|
|||
|
|
@ -39,24 +39,24 @@ event ssl_established(c: connection) &priority=3
|
|||
! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
|
||||
return;
|
||||
|
||||
local hash = c$ssl$cert_chain[0]$md5;
|
||||
local fuid = c$ssl$cert_chain_fuids[0];
|
||||
local cert = c$ssl$cert_chain[0]$x509$certificate;
|
||||
|
||||
if ( cert$not_valid_before > network_time() )
|
||||
NOTICE([$note=Certificate_Not_Valid_Yet,
|
||||
$conn=c, $suppress_for=1day,
|
||||
$msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
|
||||
$identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
|
||||
$fuid=fuid]);
|
||||
|
||||
else if ( cert$not_valid_after < network_time() )
|
||||
NOTICE([$note=Certificate_Expired,
|
||||
$conn=c, $suppress_for=1day,
|
||||
$msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
|
||||
$identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
|
||||
$fuid=fuid]);
|
||||
|
||||
else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
|
||||
NOTICE([$note=Certificate_Expires_Soon,
|
||||
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
|
||||
$conn=c, $suppress_for=1day,
|
||||
$identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
|
||||
$fuid=fuid]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,6 +51,15 @@ event ssl_established(c: connection) &priority=3
|
|||
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
|
||||
return;
|
||||
|
||||
local fuid = c$ssl$cert_chain_fuids[0];
|
||||
|
||||
if ( ! c$ssl$cert_chain[0]?$sha1 )
|
||||
{
|
||||
Reporter::error(fmt("Certificate with fuid %s did not contain sha1 hash when checking for known certs. Aborting",
|
||||
fuid));
|
||||
return;
|
||||
}
|
||||
|
||||
local hash = c$ssl$cert_chain[0]$sha1;
|
||||
local cert = c$ssl$cert_chain[0]$x509$certificate;
|
||||
|
||||
|
|
|
|||
|
|
@ -102,13 +102,15 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
|
|||
##
|
||||
## root_certs: A list of root certificates to validate the certificate chain
|
||||
##
|
||||
## verify_time: Time for the validity check of the certificates.
|
||||
##
|
||||
## Returns: A record of type X509::Result containing the result code of the verify
|
||||
## operation. In case of success also returns the full certificate chain.
|
||||
##
|
||||
## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
|
||||
## x509_ext_subject_alternative_name x509_parse
|
||||
## x509_get_certificate_string
|
||||
function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string%): X509::Result
|
||||
function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
|
||||
%{
|
||||
X509_STORE* ctx = 0;
|
||||
int i = 0;
|
||||
|
|
@ -190,7 +192,8 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
|
|||
|
||||
X509_STORE_CTX csc;
|
||||
X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
|
||||
X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
|
||||
X509_STORE_CTX_set_time(&csc, 0, (time_t) verify_time);
|
||||
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_USE_CHECK_TIME);
|
||||
|
||||
int result = X509_verify_cert(&csc);
|
||||
|
||||
|
|
@ -206,7 +209,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
|
|||
}
|
||||
|
||||
int num_certs = sk_X509_num(chain);
|
||||
chainVector = new VectorVal(new VectorType(base_type(TYPE_OPAQUE)));
|
||||
chainVector = new VectorVal(new VectorType(base_type(TYPE_ANY)));
|
||||
|
||||
for ( int i = 0; i < num_certs; i++ )
|
||||
{
|
||||
|
|
|
|||
7
testing/btest/Baseline/bifs.x509_verify/.stdout
Normal file
7
testing/btest/Baseline/bifs.x509_verify/.stdout
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
Validation result: certificate has expired
|
||||
Validation result: ok
|
||||
Resulting chain:
|
||||
Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
|
||||
Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
|
||||
Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
|
||||
Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2013-10-30-16-52-11
|
||||
#open 2014-03-04-06-37-10
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -56,7 +56,6 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro
|
||||
|
|
@ -65,6 +64,9 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
|
||||
scripts/base/frameworks/logging/__load__.bro
|
||||
scripts/base/frameworks/logging/main.bro
|
||||
|
|
@ -101,4 +103,4 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/top-k.bif.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
scripts/base/utils/paths.bro
|
||||
#close 2013-10-30-16-52-11
|
||||
#close 2014-03-04-06-37-10
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2014-01-31-22-54-38
|
||||
#open 2014-03-13-22-14-10
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -56,7 +56,6 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro
|
||||
|
|
@ -65,6 +64,9 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
|
||||
build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
|
||||
scripts/base/frameworks/logging/__load__.bro
|
||||
scripts/base/frameworks/logging/main.bro
|
||||
|
|
@ -187,6 +189,11 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/ssl/consts.bro
|
||||
scripts/base/protocols/ssl/main.bro
|
||||
scripts/base/protocols/ssl/mozilla-ca-list.bro
|
||||
scripts/base/protocols/ssl/files.bro
|
||||
scripts/base/files/x509/__load__.bro
|
||||
scripts/base/files/x509/main.bro
|
||||
scripts/base/files/hash/__load__.bro
|
||||
scripts/base/files/hash/main.bro
|
||||
scripts/base/protocols/http/__load__.bro
|
||||
scripts/base/protocols/http/main.bro
|
||||
scripts/base/protocols/http/entities.bro
|
||||
|
|
@ -213,8 +220,6 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/syslog/consts.bro
|
||||
scripts/base/protocols/syslog/main.bro
|
||||
scripts/base/protocols/tunnels/__load__.bro
|
||||
scripts/base/files/hash/__load__.bro
|
||||
scripts/base/files/hash/main.bro
|
||||
scripts/base/files/extract/__load__.bro
|
||||
scripts/base/files/extract/main.bro
|
||||
scripts/base/files/unified2/__load__.bro
|
||||
|
|
@ -222,4 +227,4 @@ scripts/base/init-default.bro
|
|||
scripts/base/misc/find-checksum-offloading.bro
|
||||
scripts/base/misc/find-filtered-trace.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
#close 2014-01-31-22-54-38
|
||||
#close 2014-03-13-22-14-10
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open 2014-03-04-22-24-11
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject established
|
||||
#types time string addr port addr port string string string string string string time time string string string bool
|
||||
1348168976.508038 CXWv6p3arKYeMETxOg 192.168.57.103 60108 192.168.57.101 2811 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348161979.000000 1379697979.000000 - CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid T
|
||||
1348168976.551422 CjhGID4nQcgTWjvg4c 192.168.57.103 35391 192.168.57.101 55968 TLSv10 TLS_RSA_WITH_NULL_SHA - - CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348168676.000000 1348206441.000000 - CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid T
|
||||
#close 2014-03-04-22-24-11
|
||||
#open 2014-03-13-20-45-24
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string
|
||||
1348168976.508038 CXWv6p3arKYeMETxOg 192.168.57.103 60108 192.168.57.101 2811 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - T FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
|
||||
1348168976.551422 CjhGID4nQcgTWjvg4c 192.168.57.103 35391 192.168.57.101 55968 TLSv10 TLS_RSA_WITH_NULL_SHA - - - T F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3 FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
|
||||
#close 2014-03-13-20-45-24
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path x509
|
||||
#open 2014-03-13-20-45-24
|
||||
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
|
||||
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
|
||||
1348168976.510615 FBtbj87tgpyeDSj31 2 01 CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348161979.000000 1379697979.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - - -
|
||||
1348168976.510615 F8TfgZ31c1dFu8Kt2k 2 EA83D17188B68E4D CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348161502.000000 1505841502.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T -
|
||||
1348168976.514202 FVNYOh2BeQBb7MpCPe 2 36B07110 CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348162941.000000 1348206441.000000 rsaEncryption sha1WithRSAEncryption rsa 512 65537 - - - - - - -
|
||||
1348168976.514202 FwjBou1e5DbpE0eOgk 2 02 CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348162263.000000 1379698263.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - - -
|
||||
1348168976.514202 FbYQmk4x4M4Bx3PZme 2 EA83D17188B68E4D CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348161502.000000 1505841502.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T -
|
||||
1348168976.551554 F4SSqN31HDIrrH5Q8h 2 3792E385 CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348168676.000000 1348206441.000000 rsaEncryption sha1WithRSAEncryption rsa 512 65537 - - - - - - -
|
||||
1348168976.551554 FJHp5Pf6VLQsRQK3 2 36B07110 CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348162941.000000 1348206441.000000 rsaEncryption sha1WithRSAEncryption rsa 512 65537 - - - - - - -
|
||||
1348168976.551554 FHACqa3dX9BXRV2av 2 02 CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348162263.000000 1379698263.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - - -
|
||||
1348168976.551554 FNnDVT1NURRWeoLLN3 2 EA83D17188B68E4D CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348161502.000000 1505841502.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T -
|
||||
1348168976.554445 FFWYVj4BcvQb35WIaf 2 36B07110 CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348162941.000000 1348206441.000000 rsaEncryption sha1WithRSAEncryption rsa 512 65537 - - - - - - -
|
||||
1348168976.554445 Fj16G835fnJgnVlKU6 2 02 CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348162263.000000 1379698263.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - - -
|
||||
1348168976.554445 FGONoc1Nj0Ka5zlxDa 2 EA83D17188B68E4D CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348161502.000000 1505841502.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T -
|
||||
#close 2014-03-13-20-45-24
|
||||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open 2014-03-04-22-02-50
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject established
|
||||
#types time string addr port addr port string string string string string string time time string string string bool
|
||||
1335538392.319381 CXWv6p3arKYeMETxOg 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA ssl.gstatic.com - CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US 1334102677.000000 1365639277.000000 - - - T
|
||||
#close 2014-03-04-22-02-50
|
||||
#open 2014-03-13-20-45-46
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string
|
||||
1335538392.319381 CXWv6p3arKYeMETxOg 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA ssl.gstatic.com - - T F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US - -
|
||||
#close 2014-03-13-20-45-46
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path x509
|
||||
#open 2014-03-13-20-45-46
|
||||
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
|
||||
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
|
||||
1335538392.343624 F6wfNWn8LR755SYo7 2 36F5DA5300000000505E CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US 1334102677.000000 1365639277.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - *.gstatic.com,gstatic.com,*.metric.gstatic.com - - - - -
|
||||
1335538392.343624 FJl60T1mOolaez9T0h 2 0B6771 CN=Google Internet Authority,O=Google Inc,C=US OU=Equifax Secure Certificate Authority,O=Equifax,C=US 1244493807.000000 1370634207.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T 0
|
||||
#close 2014-03-13-20-45-46
|
||||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open 2014-03-04-21-57-58
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject established
|
||||
#types time string addr port addr port string string string string string string time time string string string bool
|
||||
1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - - - - - handshake_failure - - F
|
||||
#close 2014-03-04-21-57-58
|
||||
#open 2014-03-13-20-46-30
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string
|
||||
1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - handshake_failure F - - - - - -
|
||||
#close 2014-03-13-20-46-30
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open 2014-03-04-22-03-00
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject established
|
||||
#types time string addr port addr port string string string string string string time time string string string bool
|
||||
1357328848.549370 CXWv6p3arKYeMETxOg 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1304467200.000000 1467676799.000000 - - - T
|
||||
#close 2014-03-04-22-03-00
|
||||
#open 2014-03-13-20-46-09
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string
|
||||
1357328848.549370 CXWv6p3arKYeMETxOg 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - - T FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh (empty) CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - -
|
||||
#close 2014-03-13-20-46-09
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path x509
|
||||
#open 2014-03-13-20-46-09
|
||||
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
|
||||
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
|
||||
1357328848.591964 FlnQzb2dJK4p9jXwmd 2 99FAA8037A4EB2FAEF84EB5E55D5B8C8 CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1304467200.000000 1467676799.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - *.taleo.net,taleo.net - - - F -
|
||||
1357328848.591964 FaDzX22O4j3kFF6Jqg 2 1690C329B6780607511F05B0344846CB CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE 1271376000.000000 1590835718.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0
|
||||
1357328848.591964 F9Tsjm3OdCmGGw43Yh 2 01 CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE 959683718.000000 1590835718.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T -
|
||||
#close 2014-03-13-20-46-09
|
||||
|
|
@ -7,24 +7,105 @@
|
|||
1170717505.549109 protocol_confirmation
|
||||
1170717505.549109 ssl_client_hello
|
||||
1170717505.734145 ssl_server_hello
|
||||
1170717505.735416 get_file_handle
|
||||
1170717505.735416 file_new
|
||||
1170717505.735416 file_over_new_connection
|
||||
1170717505.735416 x509_certificate
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_ext_basic_constraints
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 file_hash
|
||||
1170717505.735416 file_hash
|
||||
1170717505.735416 file_state_remove
|
||||
1170717505.735416 get_file_handle
|
||||
1170717505.735416 file_new
|
||||
1170717505.735416 file_over_new_connection
|
||||
1170717505.735416 x509_certificate
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_ext_basic_constraints
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 x509_extension
|
||||
1170717505.735416 file_hash
|
||||
1170717505.735416 file_hash
|
||||
1170717505.735416 file_state_remove
|
||||
1170717505.934612 ssl_established
|
||||
1170717508.515696 new_connection
|
||||
1170717508.696747 connection_established
|
||||
1170717508.697180 protocol_confirmation
|
||||
1170717508.697180 ssl_client_hello
|
||||
1170717508.881857 ssl_server_hello
|
||||
1170717508.883051 get_file_handle
|
||||
1170717508.883051 file_new
|
||||
1170717508.883051 file_over_new_connection
|
||||
1170717508.883051 x509_certificate
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_ext_basic_constraints
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 file_hash
|
||||
1170717508.883051 file_hash
|
||||
1170717508.883051 file_state_remove
|
||||
1170717508.883051 get_file_handle
|
||||
1170717508.883051 file_new
|
||||
1170717508.883051 file_over_new_connection
|
||||
1170717508.883051 x509_certificate
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_ext_basic_constraints
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 x509_extension
|
||||
1170717508.883051 file_hash
|
||||
1170717508.883051 file_hash
|
||||
1170717508.883051 file_state_remove
|
||||
1170717509.082241 ssl_established
|
||||
1170717511.541455 new_connection
|
||||
1170717511.722589 connection_established
|
||||
1170717511.722913 protocol_confirmation
|
||||
1170717511.722913 ssl_client_hello
|
||||
1170717511.908619 ssl_server_hello
|
||||
1170717511.909717 get_file_handle
|
||||
1170717511.909717 file_new
|
||||
1170717511.909717 file_over_new_connection
|
||||
1170717511.909717 x509_certificate
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_ext_basic_constraints
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 file_hash
|
||||
1170717511.909717 file_hash
|
||||
1170717511.909717 file_state_remove
|
||||
1170717511.909717 get_file_handle
|
||||
1170717511.909717 file_new
|
||||
1170717511.909717 file_over_new_connection
|
||||
1170717511.909717 x509_certificate
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_ext_basic_constraints
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 x509_extension
|
||||
1170717511.909717 file_hash
|
||||
1170717511.909717 file_hash
|
||||
1170717511.909717 file_state_remove
|
||||
1170717512.108799 ssl_established
|
||||
1170717528.851698 ChecksumOffloading::check
|
||||
1170717528.851698 connection_state_remove
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -0,0 +1,11 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path notice
|
||||
#open 2014-03-13-21-37-53
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
||||
#types time string addr port addr port string string string enum enum string string addr addr port count string table[enum] interval bool string string string double double
|
||||
1394745603.293028 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 F1fX1R2cDOzbvg17ye - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
|
||||
1394745619.197766 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 F6NAbK127LhNBaEe5c - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
|
||||
#close 2014-03-13-21-37-53
|
||||
|
|
@ -1,34 +1,26 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhk
|
||||
iG9w0BAQUFADCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3Qg
|
||||
TmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBg
|
||||
NVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENB
|
||||
IC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS
|
||||
9DUFMgSW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5
|
||||
NyBWZXJpU2lnbjAeFw0wNjExMTQwMDAwMDBaFw0wNzExMTQyMz
|
||||
U5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJu
|
||||
MREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBBbG
|
||||
xpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21i
|
||||
SDEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2
|
||||
lnbi5jb20vcnBhIChjKTAwMR8wHQYDVQQDFBZ3d3cuZHJlc2Ru
|
||||
ZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
|
||||
KBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIylad
|
||||
TJJY4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xY
|
||||
O6mmcI/Sy6owiU8LMfFij2BWZbv3+oWfq+mWs2YrhuxoNHU2MP
|
||||
WrRRwYioVbnUMW09KkqVCtF7hwIDAQABo4IBeTCCAXUwCQYDVR
|
||||
0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmgN4Y1
|
||||
aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYX
|
||||
Rpb25hbFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhF
|
||||
AQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2
|
||||
lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG+EIEAQYIKwYB
|
||||
BQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBg
|
||||
EFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsG
|
||||
AQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBw
|
||||
YFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6
|
||||
Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSI
|
||||
b3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIK
|
||||
KZKabarVsWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEF
|
||||
h2z+fWp8y72yXuQl3L8HSr0lTl6LpRD6TDPjT6UvKg5nr0j9x2
|
||||
Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk
|
||||
MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhkiG9w0BAQUFADCB
|
||||
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
|
||||
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
|
||||
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
|
||||
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
|
||||
NjExMTQwMDAwMDBaFw0wNzExMTQyMzU5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0G
|
||||
A1UECBMGQmF5ZXJuMREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBB
|
||||
bGxpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21iSDEzMDEGA1UE
|
||||
CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMR8w
|
||||
HQYDVQQDFBZ3d3cuZHJlc2RuZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUA
|
||||
A4GNADCBiQKBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIyladTJJY
|
||||
4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xYO6mmcI/Sy6owiU8LMf
|
||||
Fij2BWZbv3+oWfq+mWs2YrhuxoNHU2MPWrRRwYioVbnUMW09KkqVCtF7hwIDAQAB
|
||||
o4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmg
|
||||
N4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNl
|
||||
cnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB
|
||||
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG
|
||||
+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
|
||||
BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6Fd
|
||||
oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU
|
||||
SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0G
|
||||
CSqGSIb3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIKKZKabarV
|
||||
sWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEFh2z+fWp8y72yXuQl3L8HSr
|
||||
0lTl6LpRD6TDPjT6UvKg5nr0j9x2Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path known_certs
|
||||
#open 2014-03-13-21-47-24
|
||||
#fields ts host port_num subject issuer_subject serial
|
||||
#types time addr port string string string
|
||||
1394747126.871404 74.125.239.129 443 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 4A2C8628C1010633
|
||||
#close 2014-03-13-21-47-24
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open 2014-03-13-21-47-24
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
|
||||
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string
|
||||
1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
|
||||
1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
|
||||
#close 2014-03-13-21-47-24
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path x509
|
||||
#open 2014-03-13-21-47-24
|
||||
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
|
||||
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
|
||||
1394747126.862409 FlaIzV19yTmBYwWwc6 2 4A2C8628C1010633 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1393341558.000000 1401062400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com - - - F -
|
||||
1394747126.862409 F0BeiV3cMsGkNML0P2 2 023A69 CN=Google Internet Authority G2,O=Google Inc,C=US CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US 1365174955.000000 1428160555.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0
|
||||
1394747126.862409 F6PfYi2WUoPdIJrhpg 2 12BBE6 CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US OU=Equifax Secure Certificate Authority,O=Equifax,C=US 1021953600.000000 1534824000.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T -
|
||||
1394747129.512954 FOye6a4kt8a7QChqw3 2 4A2C8628C1010633 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1393341558.000000 1401062400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com - - - F -
|
||||
1394747129.512954 FytlLr3jOQenFAVtYi 2 023A69 CN=Google Internet Authority G2,O=Google Inc,C=US CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US 1365174955.000000 1428160555.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0
|
||||
1394747129.512954 FEmnxy4DGbxkmtQJS1 2 12BBE6 CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US OU=Equifax Secure Certificate Authority,O=Equifax,C=US 1021953600.000000 1534824000.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T -
|
||||
#close 2014-03-13-21-47-24
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open 2014-03-13-21-53-03
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status
|
||||
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string string
|
||||
1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired
|
||||
1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok
|
||||
#close 2014-03-13-21-53-03
|
||||
BIN
testing/btest/Traces/tls/google-duplicate.trace
Normal file
BIN
testing/btest/Traces/tls/google-duplicate.trace
Normal file
Binary file not shown.
BIN
testing/btest/Traces/tls/tls-expired-cert.trace
Normal file
BIN
testing/btest/Traces/tls/tls-expired-cert.trace
Normal file
Binary file not shown.
25
testing/btest/bifs/x509_verify.bro
Normal file
25
testing/btest/bifs/x509_verify.bro
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_established(c: connection) &priority=3
|
||||
{
|
||||
local chain: vector of opaque of x509 = vector();
|
||||
for ( i in c$ssl$cert_chain )
|
||||
{
|
||||
chain[i] = c$ssl$cert_chain[i]$x509$handle;
|
||||
}
|
||||
|
||||
local result = x509_verify(chain, SSL::root_certs);
|
||||
print fmt("Validation result: %s", result$result_string);
|
||||
if ( result$result != 0 ) # not ok
|
||||
return;
|
||||
|
||||
print "Resulting chain:";
|
||||
for ( i in result$chain_certs )
|
||||
{
|
||||
local cert = result$chain_certs[i];
|
||||
local certinfo = x509_parse(cert);
|
||||
local sha1 = sha1_hash(x509_get_certificate_string(cert));
|
||||
print fmt("Fingerprint: %s, Subject: %s", sha1, certinfo$subject);
|
||||
}
|
||||
}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
# @TEST-EXEC: btest-diff notice.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
||||
@load base/protocols/ftp/gridftp
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
# This tests a normal SSL connection and the log it outputs.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/tls-conn-with-extensions.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/tls-1.2-handshake-failure.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info)
|
||||
event x509_extension(f: fa_file, extension: X509::Extension)
|
||||
{
|
||||
# The formatting of CRL Distribution Points varies between OpenSSL versions. Skip it
|
||||
# for the test.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace policy/misc/dump-events.bro >all-events.log
|
||||
# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
|
||||
# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include=/ssl_/ >ssl-events.log
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro >all-events.log
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include=/ssl_/ >ssl-events.log
|
||||
#
|
||||
# @TEST-EXEC: btest-diff all-events.log
|
||||
# @TEST-EXEC: btest-diff all-events-no-args.log
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff notice.log
|
||||
|
||||
@load protocols/ssl/expiring-certs
|
||||
|
||||
redef SSL::notify_certs_expiration = ALL_HOSTS;
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff certs-remote.pem
|
||||
|
||||
@load protocols/ssl/extract-certs-pem
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: btest-diff known_certs.log
|
||||
|
||||
@load protocols/ssl/known-certs
|
||||
|
||||
redef Known::cert_tracking = ALL_HOSTS;
|
||||
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
|
||||
@load protocols/ssl/validate-certs
|
||||
Loading…
Add table
Add a link
Reference in a new issue