Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add connection in ocsp log

Browse source
This commit is contained in:
Liang Zhu 2015-07-02 17:46:43 -07:00
parent da122a6a14
commit 8844d344af
5 changed files with 47 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

38
scripts/base/files/ocsp/main.bro
View file

@ -23,6 +23,10 @@ export {
ts: time;
## file id for this request
id: string &log;
## connection id
cid: conn_id &optional;
## connection uid
cuid: string &optional;
## version
version: count &log &optional;
## requestor name
@ -37,9 +41,13 @@ export {
## one ocsp response record
type Info_resp: record {
## time for the response
ts: time;
ts: time &log;
## file id for this response
id: string &log;
## connection id
cid: conn_id &optional;
## connection uid
cuid: string &optional;
## responseStatus (different from cert status?)
responseStatus: string &log;
## responseType
@ -68,8 +76,20 @@ export {
## timestamp for request if a corresponding request is present
## OR timestamp for response if a corresponding request is not found
ts: time &log;
## connection id
cid: conn_id &log;
## connection uid
cuid: string &log;
## cert id
certId: OCSP::CertId &log &optional;
## request
req: Info_req &log &optional;
## response
resp: Info_resp &log &optional;
};
@ -127,7 +147,7 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
$issuerKeyHash = one_req$issuerKeyHash,
$serialNumber = one_req$serialNumber];
local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id];
local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid];
if (req?$version)
req_rec$version = req$version;
@ -147,12 +167,12 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
else
{
# no request content? this is weird but log it anyway
local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id];
local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid];
if (req?$version)
req_rec_empty$version = req$version;
if (req?$requestorName)
req_rec_empty$requestorName = req$requestorName;
Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]);
Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]);
}
}
@ -178,6 +198,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
$issuerKeyHash = single_resp$issuerKeyHash,
$serialNumber = single_resp$serialNumber];
local resp_rec: Info_resp = [$ts = network_time(), $id = f$id,
$cid=conn$id, $cuid=conn$uid,
$responseStatus = resp$responseStatus,
$responseType = resp$responseType,
$version = resp$version,
@ -193,14 +214,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
{
# find a match
local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]);
Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
}
else
{
# do not find a match; this is weird but log it
Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]);
Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
}
}
}
@ -208,12 +229,13 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
{
# no response content? this is weird but log it anyway
local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id,
$cid=conn$id, $cuid=conn$uid,
$responseStatus = resp$responseStatus,
$responseType = resp$responseType,
$version = resp$version,
$responderID = resp$responderID,
$producedAt = resp$producedAt];
Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]);
Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]);
}
}
@ -223,7 +245,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
Queue::get_vector(q, reqs);
for ( i in reqs )
Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]);
Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]);
}
function log_unmatched_msgs(msgs: PendingRequests)

2
scripts/policy/protocols/ssl/ocsp-stapling.bro
View file

@ -8,7 +8,7 @@ export {
## timestamp
ts: time &log;
## connection uid
## connection id
cid: conn_id &log;
## connection uid

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-33
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - -
#close 2015-06-19-16-32-33
#open 2015-07-03-00-39-57
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time addr port addr port string string string string string string count string time string string string count string string string string string
1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - -
#close 2015-07-03-00-39-57

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-23
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-23
#open 2015-07-03-00-40-58
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time addr port addr port string string string string string string count string time string string string count string string string string string
1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-07-03-00-40-58

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-39
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-39
#open 2015-07-03-00-38-40
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time addr port addr port string string string string string string count string time string string string count string string string string string
1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-07-03-00-38-40