mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Include certificate information in SSL::Weak_Key notice
This commit is contained in:
Johanna Amann
parent
0aafc8ae6c
commit
5f04f216bc
2 changed files with 6 additions and 4 deletions
|
|
@ -57,7 +57,7 @@ event ssl_established(c: connection) &priority=3
|
||||||
|
|
||||||
local fuid = c$ssl$cert_chain[0]$fuid;
|
local fuid = c$ssl$cert_chain[0]$fuid;
|
||||||
local cert = c$ssl$cert_chain[0]$x509$certificate;
|
local cert = c$ssl$cert_chain[0]$x509$certificate;
|
||||||
local hash = c$ssl$cert_chain[0]$sha1;
|
local hash = c$ssl$cert_chain[0]$x509$fingerprint;
|
||||||
|
|
||||||
if ( !cert?$key_type || !cert?$key_length )
|
if ( !cert?$key_type || !cert?$key_length )
|
||||||
return;
|
return;
|
||||||
|
|
@ -71,7 +71,9 @@ event ssl_established(c: connection) &priority=3
|
||||||
NOTICE([$note=Weak_Key,
|
NOTICE([$note=Weak_Key,
|
||||||
$msg=fmt("Host uses weak certificate with %d bit key", key_length),
|
$msg=fmt("Host uses weak certificate with %d bit key", key_length),
|
||||||
$conn=c, $suppress_for=1day,
|
$conn=c, $suppress_for=1day,
|
||||||
$identifier=cat(c$id$resp_h, c$id$resp_h, hash, key_length)
|
$identifier=cat(c$id$resp_h, c$id$resp_h, hash, key_length),
|
||||||
|
$sub=fmt("Subject: %s", cert$subject),
|
||||||
|
$file_desc=fmt("Fingerprint: %s", hash)
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
|
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - Fingerprint: b706ad178447821cc60aca1e0cd59697333a6178fd1c73f839fbdfb5b76bc507 tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key Subject: emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -30,5 +30,5 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tc
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
||||||
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
|
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - Fingerprint: ddd0218a34972ceab3d200b78959bd2b4c95eadf37399df35bfd68a5b658bc78 tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key Subject: CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue