diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro index 0782cef3e7..331ea388e5 100644 --- a/scripts/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.bro @@ -1,5 +1,7 @@ -@load base/utils/directions-and-hosts +##! This script can be used to log information about certificates while +##! attempting to avoid duplicate logging. +@load base/utils/directions-and-hosts @load base/protocols/ssl @load protocols/ssl/cert-hash @@ -31,8 +33,8 @@ export { ## The set of all known certificates to store for preventing duplicate ## logging. It can also be used from other scripts to ## inspect if a certificate has been seen in use. The string value - ## in the set is for storing the certificate's serial number. - global known_certs: set[addr, string] &create_expire=1day &synchronized &redef; + ## in the set is for storing the DER formatted certificate's MD5 hash. + global certs: set[addr, string] &create_expire=1day &synchronized &redef; global log_known_certs: event(rec: CertsInfo); } @@ -42,17 +44,17 @@ event bro_init() &priority=5 Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]); } -event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=5 +event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3 { # We aren't tracking client certificates yet. if ( ! is_server ) return; # We are also only tracking the primary cert. if ( chain_idx != 0 ) return; - + local host = c$id$resp_h; - if ( [host, cert$serial] !in known_certs && addr_matches_host(host, cert_tracking) ) + if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) ) { - add known_certs[host, cert$serial]; + add certs[host, cert$serial]; Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host, $port_num=c$id$resp_p, $subject=cert$subject, $issuer_subject=cert$issuer,