Enable OCSP logging by default.

In the past I thought that this is not super interesting. However, it turns out that this can actually contain a slew of interresting information - like operating systems querying for the revocation of software signing certificates, e.g. So - let's just enable this as a default log for the future.
2025-10-07 09:08:20 +00:00 · 2021-05-05 10:40:22 +01:00 · 2021-05-05 10:40:22 +01:00 · 64ab1bbd47
commit 64ab1bbd47
parent bfd589bc30
12 changed files with 98 additions and 74 deletions
--- a/scripts/base/files/x509/load.zeek
+++ b/scripts/base/files/x509/load.zeek
@ -1,2 +1,4 @@
@load ./main
@load ./certificate-event-cache
+
+@load ./log-ocsp
--- a/scripts/base/files/x509/certificate-event-cache.zeek
+++ b/scripts/base/files/x509/certificate-event-cache.zeek
@ -8,6 +8,8 @@
 ##! the parsing of certificate information in the core is disabled. Instead, the cached events
 ##! and data structures from the previous certificates are used.

+@load ./main
+
 module X509;

 export {
--- a/scripts/base/files/x509/log-ocsp.zeek
+++ b/scripts/base/files/x509/log-ocsp.zeek
@ -0,0 +1,61 @@
+##! Enable logging of OCSP responses.
+
+module OCSP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	global log_policy: Log::PolicyHook;
+
+	## The record type which contains the fields of the OCSP log.
+	type Info: record {
+		## Time when the OCSP reply was encountered.
+		ts: time &log;
+		## File id of the OCSP reply.
+		id: string &log;
+		## Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+		hashAlgorithm: string &log;
+		## Hash of the issuer's distingueshed name.
+		issuerNameHash: string &log;
+		## Hash of the issuer's public key.
+		issuerKeyHash: string &log;
+		## Serial number of the affected certificate.
+		serialNumber: string &log;
+		## Status of the affected certificate.
+		certStatus: string &log;
+		## Time at which the certificate was revoked.
+		revoketime: time &log &optional;
+		## Reason for which the certificate was revoked.
+		revokereason: string &log &optional;
+		## The time at which the status being shows is known to have been correct.
+		thisUpdate: time &log;
+		## The latest time at which new information about the status of the certificate will be available.
+		nextUpdate: time &log &optional;
+	};
+
+	## Event that can be handled to access the OCSP record
+	## as it is sent to the logging framework.
+	global log_ocsp: event(rec: Info);
+}
+
+event zeek_init() &priority=5
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
+			      $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
+			      $thisUpdate=thisUpdate);
+
+	if ( revokereason != "" )
+		wr$revokereason = revokereason;
+	if ( time_to_double(revoketime) != 0 )
+		wr$revoketime = revoketime;
+	if ( time_to_double(nextUpdate) != 0 )
+		wr$nextUpdate = nextUpdate;
+
+	Log::write(LOG, wr);
+	}