Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Use our new features to send the CN and SAN fields of certificates to

Browse source 
the intel framework.
This commit is contained in:
Johanna Amann 2015-03-03 17:13:55 -08:00
parent e48c6ccc4a
commit 946f19fb9d
4 changed files with 63 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/policy/frameworks/intel/seen/ssl.bro
View file

@ -10,3 +10,16 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
$conn=c,
$where=SSL::IN_SERVER_NAME]);
}
event ssl_established(c: connection)
{
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 )
return;
if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=X509::IN_CERT]);
}

10
scripts/policy/frameworks/intel/seen/x509.bro
View file

@ -2,6 +2,16 @@
@load base/files/x509
@load ./where-locations
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
{
if ( ext?$dns )
for ( i in ext$dns )
Intel::seen([$indicator=ext$dns[i],
$indicator_type=Intel::DOMAIN,
$f=f,
$where=X509::IN_CERT]);
}
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
{
if ( /emailAddress=/ in cert$subject )