Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updates for known-certs.

Browse source 
- Fixed a crash.

- Made some other small style updates.
This commit is contained in:
Seth Hall 2011-10-04 14:32:11 -04:00
parent 5a04190ffe
commit 5a45c246e5
1 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/policy/protocols/ssl/known-certs.bro
View file

@ -1,5 +1,7 @@
@load base/utils/directions-and-hosts
##! This script can be used to log information about certificates while
##! attempting to avoid duplicate logging.
@load base/utils/directions-and-hosts
@load base/protocols/ssl
@load protocols/ssl/cert-hash
@ -31,8 +33,8 @@ export {
## The set of all known certificates to store for preventing duplicate
## logging. It can also be used from other scripts to
## inspect if a certificate has been seen in use. The string value
## in the set is for storing the certificate's serial number.
global known_certs: set[addr, string] &create_expire=1day &synchronized &redef;
## in the set is for storing the DER formatted certificate's MD5 hash.
global certs: set[addr, string] &create_expire=1day &synchronized &redef;
global log_known_certs: event(rec: CertsInfo);
}
@ -42,7 +44,7 @@ event bro_init() &priority=5
Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
}
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=5
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{
# We aren't tracking client certificates yet.
if ( ! is_server ) return;
@ -50,9 +52,9 @@ event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: co
if ( chain_idx != 0 ) return;
local host = c$id$resp_h;
if ( [host, cert$serial] !in known_certs && addr_matches_host(host, cert_tracking) )
if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
{
add known_certs[host, cert$serial];
add certs[host, cert$serial];
Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
$port_num=c$id$resp_p, $subject=cert$subject,
$issuer_subject=cert$issuer,