Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updates for known-certs.

Browse source 
- Fixed a crash.

- Made some other small style updates.
This commit is contained in:
Seth Hall 2011-10-04 14:32:11 -04:00
parent 5a04190ffe
commit 5a45c246e5
1 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/policy/protocols/ssl/known-certs.bro
View file

@ -1,5 +1,7 @@
@load base/utils/directions-and-hosts ##! This script can be used to log information about certificates while
##! attempting to avoid duplicate logging.
@load base/utils/directions-and-hosts
@load base/protocols/ssl @load base/protocols/ssl
@load protocols/ssl/cert-hash @load protocols/ssl/cert-hash
@ -31,8 +33,8 @@ export {
## The set of all known certificates to store for preventing duplicate ## The set of all known certificates to store for preventing duplicate
## logging. It can also be used from other scripts to ## logging. It can also be used from other scripts to
## inspect if a certificate has been seen in use. The string value ## inspect if a certificate has been seen in use. The string value
## in the set is for storing the certificate's serial number. ## in the set is for storing the DER formatted certificate's MD5 hash.
global known_certs: set[addr, string] &create_expire=1day &synchronized &redef; global certs: set[addr, string] &create_expire=1day &synchronized &redef;
global log_known_certs: event(rec: CertsInfo); global log_known_certs: event(rec: CertsInfo);
} }
@ -42,17 +44,17 @@ event bro_init() &priority=5
Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]); Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
} }
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=5 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{ {
# We aren't tracking client certificates yet. # We aren't tracking client certificates yet.
if ( ! is_server ) return; if ( ! is_server ) return;
# We are also only tracking the primary cert. # We are also only tracking the primary cert.
if ( chain_idx != 0 ) return; if ( chain_idx != 0 ) return;
local host = c$id$resp_h; local host = c$id$resp_h;
if ( [host, cert$serial] !in known_certs && addr_matches_host(host, cert_tracking) ) if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
{ {
add known_certs[host, cert$serial]; add certs[host, cert$serial];
Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host, Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
$port_num=c$id$resp_p, $subject=cert$subject, $port_num=c$id$resp_p, $subject=cert$subject,
$issuer_subject=cert$issuer, $issuer_subject=cert$issuer,