Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Revert change to only log certificates once per hour.

Browse source 
addresses BIT-953, BIT-760, BIT-1150
This commit is contained in:
Bernhard Amann 2014-03-13 13:38:44 -07:00
parent b0c3486fd6
commit 74d728656d
2 changed files with 18 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

32
scripts/base/files/x509/main.bro
View file

@ -6,15 +6,12 @@ module X509;
export { export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
## Set that keeps track of the certificates which were logged recently.
global cert_hashes: set[string] &create_expire=1hrs &synchronized &redef;
type Info: record { type Info: record {
## current timestamp ## current timestamp
ts: time &log; ts: time &log;
## SHA-1 hash of this certificate ## file id of this certificate
sha1: string &log &optional; id: string &log;
## Basic information about the certificate ## Basic information about the certificate
certificate: X509::Certificate &log; certificate: X509::Certificate &log;
@ -48,20 +45,9 @@ redef record Files::Info += {
x509: X509::Info &optional; x509: X509::Info &optional;
}; };
# Either, this event arrives first - then info$x509 does not exist
# yet and this is a no-op, and the sha1 value is set in x509_certificate.
# Or the x509_certificate event arrives first - then the hash is set here.
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( f$info?$x509 && kind == "sha1" )
f$info$x509$sha1 = hash;
}
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
{ {
f$info$x509 = [$ts=f$info$ts, $certificate=cert, $handle=cert_ref]; f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
if ( f$info?$sha1 )
f$info$x509$sha1 = f$info$sha1;
} }
event x509_extension(f: fa_file, ext: X509::Extension) &priority=5 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
@ -87,17 +73,5 @@ event file_state_remove(f: fa_file) &priority=5
if ( ! f$info?$x509 ) if ( ! f$info?$x509 )
return; return;
if ( ! f$info$x509?$sha1 )
{
Reporter::error(fmt("Certificate without a hash value. Logging skipped. File-id: %s", f$id));
return;
}
if ( f$info$x509$sha1 in cert_hashes )
# we already have seen & logged this certificate
return;
add cert_hashes[f$info$x509$sha1];
Log::write(LOG, f$info$x509); Log::write(LOG, f$info$x509);
} }

36
scripts/base/protocols/ssl/files.bro
View file

@ -11,17 +11,17 @@ export {
## complete signing chain. ## complete signing chain.
cert_chain: vector of Files::Info &optional; cert_chain: vector of Files::Info &optional;
## An ordered vector of all certicate sha1 hashes for the ## An ordered vector of all certicate file unique IDs for the
## certificates offered by the server. ## certificates offered by the server.
cert_chain_sha1s: vector of string &optional &log; cert_chain_fuids: vector of string &optional &log;
## Chain of certificates offered by the client to validate its ## Chain of certificates offered by the client to validate its
## complete signing chain. ## complete signing chain.
client_cert_chain: vector of Files::Info &optional; client_cert_chain: vector of Files::Info &optional;
## An ordered vector of all certicate sha1 hashes for the ## An ordered vector of all certicate file unique IDs for the
## certificates offered by the client. ## certificates offered by the client.
client_cert_chain_sha1s: vector of string &optional &log; client_cert_chain_fuids: vector of string &optional &log;
## Subject of the X.509 certificate offered by the server. ## Subject of the X.509 certificate offered by the server.
subject: string &log &optional; subject: string &log &optional;
@ -107,22 +107,31 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
{ {
c$ssl$cert_chain = vector(); c$ssl$cert_chain = vector();
c$ssl$client_cert_chain = vector(); c$ssl$client_cert_chain = vector();
c$ssl$cert_chain_fuids = string_vec();
c$ssl$client_cert_chain_fuids = string_vec();
} }
if ( is_orig ) if ( is_orig )
{
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info; c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
}
else else
{
c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info; c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
}
Files::add_analyzer(f, Files::ANALYZER_X509); Files::add_analyzer(f, Files::ANALYZER_X509);
# always calculate hashes. SHA1 is always required for certificates. # always calculate hashes. They are not necessary for base scripts
# but very useful for identification, and required for policy scripts
Files::add_analyzer(f, Files::ANALYZER_MD5); Files::add_analyzer(f, Files::ANALYZER_MD5);
Files::add_analyzer(f, Files::ANALYZER_SHA1); Files::add_analyzer(f, Files::ANALYZER_SHA1);
} }
event ssl_established(c: connection) &priority=6 event ssl_established(c: connection) &priority=6
{ {
# update subject and issuer information as well as sha1 hashes # update subject and issuer information
if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 ) if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
{ {
c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject; c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
@ -134,19 +143,4 @@ event ssl_established(c: connection) &priority=6
c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject; c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer; c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
} }
if ( c$ssl?$cert_chain )
{
c$ssl$cert_chain_sha1s = string_vec();
for ( i in c$ssl$cert_chain )
c$ssl$cert_chain_sha1s[i] = c$ssl$cert_chain[i]$x509$sha1;
}
if ( c$ssl?$client_cert_chain )
{
c$ssl$client_cert_chain_sha1s = string_vec();
for ( i in c$ssl$client_cert_chain )
c$ssl$client_cert_chain_sha1s[i] = c$ssl$client_cert_chain[i]$x509$sha1;
}
} }