diff --git a/scripts/policy/protocols/ssl/weak-keys.zeek b/scripts/policy/protocols/ssl/weak-keys.zeek index 2b201117f8..e1b604ebb9 100644 --- a/scripts/policy/protocols/ssl/weak-keys.zeek +++ b/scripts/policy/protocols/ssl/weak-keys.zeek @@ -71,7 +71,7 @@ event ssl_established(c: connection) &priority=3 NOTICE([$note=Weak_Key, $msg=fmt("Host uses weak certificate with %d bit key", key_length), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_h, hash, key_length), + $identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length), $sub=fmt("Subject: %s", cert$subject), $file_desc=fmt("Fingerprint: %s", hash) ]); @@ -90,15 +90,15 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos NOTICE([$note=Old_Version, $msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_h) + $identifier=cat(c$id$resp_h, c$id$resp_p) ]); } if ( unsafe_ciphers_regex in c$ssl$cipher ) NOTICE([$note=Weak_Cipher, - $msg=fmt("Host established connection using unsafe ciper suite %s", c$ssl$cipher), + $msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_h, c$ssl$cipher) + $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher) ]); } diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log index 38594f9c9a..2891226929 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log @@ -29,6 +29,6 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tc #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe cipher suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - Fingerprint: ddd0218a34972ceab3d200b78959bd2b4c95eadf37399df35bfd68a5b658bc78 tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key Subject: CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX