Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove some deprecated ocsp/ssl base scripts

Browse source
This commit is contained in:
Tim Wojtulewicz 2022-06-29 09:58:32 -07:00
parent 765a8535e0
commit 6130d32440
10 changed files with 1 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc

@ -1 +1 @@
Subproject commit 189dddc9e80cf3649672e491a5d89e200d3248f6 Subproject commit f2607e2fab4f83062bc7b3a35bb5f4a7993521c8

1
scripts/policy/files/x509/log-ocsp.zeek
View file

@ -1 +0,0 @@
@deprecated("Remove in v5.1. OCSP logging is now enabled by default")

56
scripts/policy/protocols/ssl/extract-certs-pem.zeek
View file

@ -1,56 +0,0 @@
@deprecated "Remove in v5.1. Use log-certs-base64.zeek instead."
##! This script is used to extract host certificates seen on the wire to disk
##! after being converted to PEM files. The certificates will be stored in
##! a single file, one for local certificates and one for remote certificates.
##!
##! .. note::
##!
##! - It doesn't work well on a cluster because each worker will write its
##! own certificate files and no duplicate checking is done across the
##! cluster so each node would log each certificate.
##!
@load base/protocols/ssl
@load base/files/x509
@load base/utils/directions-and-hosts
module SSL;
export {
## Control if host certificates offered by the defined hosts
## will be written to the PEM certificates file.
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
option extract_certs_pem = LOCAL_HOSTS;
}
# This is an internally maintained variable to prevent relogging of
# certificates that have already been seen. It is indexed on an sha1 sum of
# the certificate.
global extracted_certs: set[string] = set() &read_expire=1hr &redef;
event ssl_established(c: connection) &priority=5
{
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 )
return;
if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
return;
local hash = c$ssl$cert_chain[0]$sha1;
local cert = c$ssl$cert_chain[0]$x509$handle;
if ( hash in extracted_certs )
# If we already extracted this cert, don't do it again.
return;
add extracted_certs[hash];
local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
local outfile = open_for_append(filename);
enable_raw_output(outfile);
print outfile, x509_get_certificate_string(cert, T);
close(outfile);
}

106
scripts/policy/protocols/ssl/notary.zeek
View file

@ -1,106 +0,0 @@
@deprecated("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
@load base/protocols/ssl
module CertNotary;
export {
## A response from the ICSI certificate notary.
type Response: record {
first_seen: count &log &optional;
last_seen: count &log &optional;
times_seen: count &log &optional;
valid: bool &log &optional;
};
## The notary domain to query.
option domain = "notary.icsi.berkeley.edu";
}
redef record SSL::Info += {
## A response from the ICSI certificate notary.
notary: Response &log &optional;
};
# The DNS cache of notary responses.
global notary_cache: table[string] of Response &create_expire = 1 hr;
# The records that wait for a notary response identified by the cert digest.
# Each digest refers to a list of connection UIDs which are updated when a DNS
# reply arrives asynchronously.
global waitlist: table[string] of vector of SSL::Info;
function clear_waitlist(digest: string)
{
if ( digest in waitlist )
{
for ( i in waitlist[digest] )
SSL::undelay_log(waitlist[digest][i], "notary");
delete waitlist[digest];
}
}
event ssl_established(c: connection) &priority=3
{
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$sha1 )
return;
local digest = c$ssl$cert_chain[0]$sha1;
if ( digest in notary_cache )
{
c$ssl$notary = notary_cache[digest];
return;
}
SSL::delay_log(c$ssl, "notary");
local waits_already = digest in waitlist;
if ( ! waits_already )
waitlist[digest] = vector();
waitlist[digest] += c$ssl;
if ( waits_already )
return;
when [digest] ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) )
{
notary_cache[digest] = [];
# Parse notary answer.
if ( str == "<???>" ) # NXDOMAIN
{
clear_waitlist(digest);
return;
}
local fields = split_string(str, / /);
if ( |fields| != 5 ) # version 1 has 5 fields.
{
clear_waitlist(digest);
return;
}
local version = split_string(fields[0], /=/)[1];
if ( version != "1" )
{
clear_waitlist(digest);
return;
}
local r = notary_cache[digest];
r$first_seen = to_count(split_string(fields[1], /=/)[1]);
r$last_seen = to_count(split_string(fields[2], /=/)[1]);
r$times_seen = to_count(split_string(fields[3], /=/)[1]);
r$valid = split_string(fields[4], /=/)[1] == "1";
# Assign notary answer to all records waiting for this digest.
if ( digest in waitlist )
{
for ( i in waitlist[digest] )
{
local info = waitlist[digest][i];
SSL::undelay_log(info, "notary");
info$notary = r;
}
delete waitlist[digest];
}
}
}

3
scripts/test-all-policy.zeek
View file

@ -67,7 +67,6 @@
@load files/unified2/__load__.zeek @load files/unified2/__load__.zeek
@load files/unified2/main.zeek @load files/unified2/main.zeek
@load files/x509/disable-certificate-events-known-certs.zeek @load files/x509/disable-certificate-events-known-certs.zeek
@load files/x509/log-ocsp.zeek
@load frameworks/packet-filter/shunt.zeek @load frameworks/packet-filter/shunt.zeek
@load frameworks/software/version-changes.zeek @load frameworks/software/version-changes.zeek
@load frameworks/software/vulnerable.zeek @load frameworks/software/vulnerable.zeek
@ -129,13 +128,11 @@
@load protocols/ssh/software.zeek @load protocols/ssh/software.zeek
@load protocols/ssl/decryption.zeek @load protocols/ssl/decryption.zeek
@load protocols/ssl/expiring-certs.zeek @load protocols/ssl/expiring-certs.zeek
# @load protocols/ssl/extract-certs-pem.zeek
@load protocols/ssl/heartbleed.zeek @load protocols/ssl/heartbleed.zeek
@load protocols/ssl/known-certs.zeek @load protocols/ssl/known-certs.zeek
@load protocols/ssl/log-certs-base64.zeek @load protocols/ssl/log-certs-base64.zeek
@load protocols/ssl/ssl-log-ext.zeek @load protocols/ssl/ssl-log-ext.zeek
@load protocols/ssl/log-hostcerts-only.zeek @load protocols/ssl/log-hostcerts-only.zeek
#@load protocols/ssl/notary.zeek
@load protocols/ssl/validate-certs.zeek @load protocols/ssl/validate-certs.zeek
@load protocols/ssl/validate-ocsp.zeek @load protocols/ssl/validate-ocsp.zeek
@load protocols/ssl/validate-sct.zeek @load protocols/ssl/validate-sct.zeek

2
scripts/zeekygen/__load__.zeek
View file

@ -2,7 +2,6 @@
# Scripts which are commented out in test-all-policy.zeek. # Scripts which are commented out in test-all-policy.zeek.
@load protocols/ssl/decryption.zeek @load protocols/ssl/decryption.zeek
@load protocols/ssl/notary.zeek
@load frameworks/control/controllee.zeek @load frameworks/control/controllee.zeek
@load frameworks/control/controller.zeek @load frameworks/control/controller.zeek
@load frameworks/management/agent/main.zeek @load frameworks/management/agent/main.zeek
@ -12,7 +11,6 @@
@load frameworks/files/extract-all-files.zeek @load frameworks/files/extract-all-files.zeek
@load policy/misc/dump-events.zeek @load policy/misc/dump-events.zeek
@load policy/protocols/conn/speculative-service.zeek @load policy/protocols/conn/speculative-service.zeek
@load policy/protocols/ssl/extract-certs-pem.zeek
@load ./example.zeek @load ./example.zeek

7
testing/btest/Baseline/coverage.bare-mode-errors/errors
View file

@ -1,9 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
### NOTE: This file has been sorted with diff-sort. ### NOTE: This file has been sorted with diff-sort.
warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:15 "Remove in v5.1. Use log-certs-base64.zeek instead."
warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from command line arguments "Remove in v5.1. Use log-certs-base64.zeek instead."
warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:70 ("Remove in v5.1. OCSP logging is now enabled by default")
warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:70 ("Remove in v5.1. OCSP logging is now enabled by default")
warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now enabled by default")
warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:5 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")

27
testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem
View file

@ -1,27 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-----BEGIN CERTIFICATE-----
MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NjExMTQwMDAwMDBaFw0wNzExMTQyMzU5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0G
A1UECBMGQmF5ZXJuMREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBB
bGxpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21iSDEzMDEGA1UE
CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMR8w
HQYDVQQDFBZ3d3cuZHJlc2RuZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIyladTJJY
4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xYO6mmcI/Sy6owiU8LMf
Fij2BWZbv3+oWfq+mWs2YrhuxoNHU2MPWrRRwYioVbnUMW09KkqVCtF7hwIDAQAB
o4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmg
N4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNl
cnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG
+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6Fd
oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU
SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0G
CSqGSIb3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIKKZKabarV
sWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEFh2z+fWp8y72yXuQl3L8HSr
0lTl6LpRD6TDPjT6UvKg5nr0j9x2Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk
-----END CERTIFICATE-----

6
testing/btest/scripts/base/protocols/ssl/keyexchange.test
View file

@ -16,7 +16,6 @@
@load base/protocols/ssl @load base/protocols/ssl
@load base/files/x509 @load base/files/x509
@load protocols/ssl/extract-certs-pem
module SSL; module SSL;
@ -48,11 +47,6 @@ export {
client_dh_Yc: string &log &optional; client_dh_Yc: string &log &optional;
client_ecdh_point: string &log &optional; client_ecdh_point: string &log &optional;
}; };
## Control if host certificates offered by the defined hosts
## will be written to the PEM certificates file.
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
redef extract_certs_pem = ALL_HOSTS;
} }
event ssl_established(c: connection) &priority=5 event ssl_established(c: connection) &priority=5

6
testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek
View file

@ -1,6 +0,0 @@
# @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT
# @TEST-EXEC: btest-diff certs-remote.pem
@load protocols/ssl/extract-certs-pem
redef SSL::extract_certs_pem = ALL_HOSTS;