mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 09:38:19 +00:00
Revert change to only log certificates once per hour.
addresses BIT-953, BIT-760, BIT-1150
This commit is contained in:
Bernhard Amann
parent
b0c3486fd6
commit
74d728656d
2 changed files with 18 additions and 50 deletions
|
|
@ -6,15 +6,12 @@ module X509;
|
|||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
## Set that keeps track of the certificates which were logged recently.
|
||||
global cert_hashes: set[string] &create_expire=1hrs &synchronized &redef;
|
||||
|
||||
type Info: record {
|
||||
## current timestamp
|
||||
ts: time &log;
|
||||
|
||||
## SHA-1 hash of this certificate
|
||||
sha1: string &log &optional;
|
||||
## file id of this certificate
|
||||
id: string &log;
|
||||
|
||||
## Basic information about the certificate
|
||||
certificate: X509::Certificate &log;
|
||||
|
|
@ -48,20 +45,9 @@ redef record Files::Info += {
|
|||
x509: X509::Info &optional;
|
||||
};
|
||||
|
||||
# Either, this event arrives first - then info$x509 does not exist
|
||||
# yet and this is a no-op, and the sha1 value is set in x509_certificate.
|
||||
# Or the x509_certificate event arrives first - then the hash is set here.
|
||||
event file_hash(f: fa_file, kind: string, hash: string)
|
||||
{
|
||||
if ( f$info?$x509 && kind == "sha1" )
|
||||
f$info$x509$sha1 = hash;
|
||||
}
|
||||
|
||||
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
|
||||
{
|
||||
f$info$x509 = [$ts=f$info$ts, $certificate=cert, $handle=cert_ref];
|
||||
if ( f$info?$sha1 )
|
||||
f$info$x509$sha1 = f$info$sha1;
|
||||
f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
|
||||
}
|
||||
|
||||
event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
|
||||
|
|
@ -87,17 +73,5 @@ event file_state_remove(f: fa_file) &priority=5
|
|||
if ( ! f$info?$x509 )
|
||||
return;
|
||||
|
||||
if ( ! f$info$x509?$sha1 )
|
||||
{
|
||||
Reporter::error(fmt("Certificate without a hash value. Logging skipped. File-id: %s", f$id));
|
||||
return;
|
||||
}
|
||||
|
||||
if ( f$info$x509$sha1 in cert_hashes )
|
||||
# we already have seen & logged this certificate
|
||||
return;
|
||||
|
||||
add cert_hashes[f$info$x509$sha1];
|
||||
|
||||
Log::write(LOG, f$info$x509);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,17 +11,17 @@ export {
|
|||
## complete signing chain.
|
||||
cert_chain: vector of Files::Info &optional;
|
||||
|
||||
## An ordered vector of all certicate sha1 hashes for the
|
||||
## An ordered vector of all certicate file unique IDs for the
|
||||
## certificates offered by the server.
|
||||
cert_chain_sha1s: vector of string &optional &log;
|
||||
cert_chain_fuids: vector of string &optional &log;
|
||||
|
||||
## Chain of certificates offered by the client to validate its
|
||||
## complete signing chain.
|
||||
client_cert_chain: vector of Files::Info &optional;
|
||||
|
||||
## An ordered vector of all certicate sha1 hashes for the
|
||||
## An ordered vector of all certicate file unique IDs for the
|
||||
## certificates offered by the client.
|
||||
client_cert_chain_sha1s: vector of string &optional &log;
|
||||
client_cert_chain_fuids: vector of string &optional &log;
|
||||
|
||||
## Subject of the X.509 certificate offered by the server.
|
||||
subject: string &log &optional;
|
||||
|
|
@ -107,22 +107,31 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
{
|
||||
c$ssl$cert_chain = vector();
|
||||
c$ssl$client_cert_chain = vector();
|
||||
c$ssl$cert_chain_fuids = string_vec();
|
||||
c$ssl$client_cert_chain_fuids = string_vec();
|
||||
}
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
|
||||
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
|
||||
}
|
||||
else
|
||||
{
|
||||
c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
|
||||
c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
|
||||
}
|
||||
|
||||
Files::add_analyzer(f, Files::ANALYZER_X509);
|
||||
# always calculate hashes. SHA1 is always required for certificates.
|
||||
# always calculate hashes. They are not necessary for base scripts
|
||||
# but very useful for identification, and required for policy scripts
|
||||
Files::add_analyzer(f, Files::ANALYZER_MD5);
|
||||
Files::add_analyzer(f, Files::ANALYZER_SHA1);
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &priority=6
|
||||
{
|
||||
# update subject and issuer information as well as sha1 hashes
|
||||
# update subject and issuer information
|
||||
if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
|
||||
{
|
||||
c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
|
||||
|
|
@ -134,19 +143,4 @@ event ssl_established(c: connection) &priority=6
|
|||
c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
|
||||
c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
|
||||
}
|
||||
|
||||
|
||||
if ( c$ssl?$cert_chain )
|
||||
{
|
||||
c$ssl$cert_chain_sha1s = string_vec();
|
||||
for ( i in c$ssl$cert_chain )
|
||||
c$ssl$cert_chain_sha1s[i] = c$ssl$cert_chain[i]$x509$sha1;
|
||||
}
|
||||
|
||||
if ( c$ssl?$client_cert_chain )
|
||||
{
|
||||
c$ssl$client_cert_chain_sha1s = string_vec();
|
||||
for ( i in c$ssl$client_cert_chain )
|
||||
c$ssl$client_cert_chain_sha1s[i] = c$ssl$client_cert_chain[i]$x509$sha1;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue