Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 07:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

add connection in ocsp log

Browse source
This commit is contained in:
Liang Zhu 2015-07-02 17:46:43 -07:00
parent da122a6a14
commit 8844d344af
5 changed files with 47 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

38
scripts/base/files/ocsp/main.bro
View file

@ -23,6 +23,10 @@ export {
ts: time; ts: time;
## file id for this request ## file id for this request
id: string &log; id: string &log;
## connection id
cid: conn_id &optional;
## connection uid
cuid: string &optional;
## version ## version
version: count &log &optional; version: count &log &optional;
## requestor name ## requestor name
@ -37,9 +41,13 @@ export {
## one ocsp response record ## one ocsp response record
type Info_resp: record { type Info_resp: record {
## time for the response ## time for the response
ts: time; ts: time &log;
## file id for this response ## file id for this response
id: string &log; id: string &log;
## connection id
cid: conn_id &optional;
## connection uid
cuid: string &optional;
## responseStatus (different from cert status?) ## responseStatus (different from cert status?)
responseStatus: string &log; responseStatus: string &log;
## responseType ## responseType
@ -68,8 +76,20 @@ export {
## timestamp for request if a corresponding request is present ## timestamp for request if a corresponding request is present
## OR timestamp for response if a corresponding request is not found ## OR timestamp for response if a corresponding request is not found
ts: time &log; ts: time &log;
## connection id
cid: conn_id &log;
## connection uid
cuid: string &log;
## cert id
certId: OCSP::CertId &log &optional; certId: OCSP::CertId &log &optional;
## request
req: Info_req &log &optional; req: Info_req &log &optional;
## response
resp: Info_resp &log &optional; resp: Info_resp &log &optional;
}; };
@ -127,7 +147,7 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
$issuerKeyHash = one_req$issuerKeyHash, $issuerKeyHash = one_req$issuerKeyHash,
$serialNumber = one_req$serialNumber]; $serialNumber = one_req$serialNumber];
local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id]; local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid];
if (req?$version) if (req?$version)
req_rec$version = req$version; req_rec$version = req$version;
@ -147,12 +167,12 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
else else
{ {
# no request content? this is weird but log it anyway # no request content? this is weird but log it anyway
local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id]; local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid];
if (req?$version) if (req?$version)
req_rec_empty$version = req$version; req_rec_empty$version = req$version;
if (req?$requestorName) if (req?$requestorName)
req_rec_empty$requestorName = req$requestorName; req_rec_empty$requestorName = req$requestorName;
Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]); Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]);
} }
} }
@ -178,6 +198,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
$issuerKeyHash = single_resp$issuerKeyHash, $issuerKeyHash = single_resp$issuerKeyHash,
$serialNumber = single_resp$serialNumber]; $serialNumber = single_resp$serialNumber];
local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, local resp_rec: Info_resp = [$ts = network_time(), $id = f$id,
$cid=conn$id, $cuid=conn$uid,
$responseStatus = resp$responseStatus, $responseStatus = resp$responseStatus,
$responseType = resp$responseType, $responseType = resp$responseType,
$version = resp$version, $version = resp$version,
@ -193,14 +214,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
{ {
# find a match # find a match
local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]); Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
if (Queue::len(conn$ocsp_requests[cert_id]) == 0) if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
} }
else else
{ {
# do not find a match; this is weird but log it # do not find a match; this is weird but log it
Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]); Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
} }
} }
} }
@ -208,12 +229,13 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
{ {
# no response content? this is weird but log it anyway # no response content? this is weird but log it anyway
local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id,
$cid=conn$id, $cuid=conn$uid,
$responseStatus = resp$responseStatus, $responseStatus = resp$responseStatus,
$responseType = resp$responseType, $responseType = resp$responseType,
$version = resp$version, $version = resp$version,
$responderID = resp$responderID, $responderID = resp$responderID,
$producedAt = resp$producedAt]; $producedAt = resp$producedAt];
Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]); Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]);
} }
} }
@ -223,7 +245,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
Queue::get_vector(q, reqs); Queue::get_vector(q, reqs);
for ( i in reqs ) for ( i in reqs )
Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]); Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]);
} }
function log_unmatched_msgs(msgs: PendingRequests) function log_unmatched_msgs(msgs: PendingRequests)

2
scripts/policy/protocols/ssl/ocsp-stapling.bro
View file

@ -8,7 +8,7 @@ export {
## timestamp ## timestamp
ts: time &log; ts: time &log;
## connection uid ## connection id
cid: conn_id &log; cid: conn_id &log;
## connection uid ## connection uid

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2015-06-19-16-32-33 #open 2015-07-03-00-39-57
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string #types time addr port addr port string string string string string string count string time string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - 1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - -
#close 2015-06-19-16-32-33 #close 2015-07-03-00-39-57

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2015-06-19-16-32-23 #open 2015-07-03-00-40-58
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string #types time addr port addr port string string string string string string count string time string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z 1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-23 #close 2015-07-03-00-40-58

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2015-06-19-16-32-39 #open 2015-07-03-00-38-40
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string #types time addr port addr port string string string string string string count string time string string string count string string string string string
1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z 1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-39 #close 2015-07-03-00-38-40