mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 14:08:20 +00:00
Change SSL and X.509 logging format
This commit changes the SSL and X.509 logging formats to something that, hopefully, slowly approaches what they will look like in the future. X.509 log is not yet deduplicated; this will come in the future. This commit introduces two new options, which determine if certificate issuers and subjects are still logged in ssl.log. The default is to have the host subject/issuer logged, but to remove client-certificate information. Client-certificates are not a typically used feature nowadays.
This commit is contained in:
Johanna Amann
parent
64ab1bbd47
commit
b02f22a667
70 changed files with 586 additions and 543 deletions
|
|
@ -14,21 +14,21 @@ export {
|
|||
## Indicates that a certificate's NotValidAfter date has lapsed
|
||||
## and the certificate is now invalid.
|
||||
Certificate_Expired,
|
||||
## Indicates that a certificate is going to expire within
|
||||
## Indicates that a certificate is going to expire within
|
||||
## :zeek:id:`SSL::notify_when_cert_expiring_in`.
|
||||
Certificate_Expires_Soon,
|
||||
## Indicates that a certificate's NotValidBefore date is future
|
||||
## dated.
|
||||
Certificate_Not_Valid_Yet,
|
||||
};
|
||||
|
||||
## The category of hosts you would like to be notified about which have
|
||||
## certificates that are going to be expiring soon. By default, these
|
||||
## notices will be suppressed by the notice framework for 1 day after
|
||||
|
||||
## The category of hosts you would like to be notified about which have
|
||||
## certificates that are going to be expiring soon. By default, these
|
||||
## notices will be suppressed by the notice framework for 1 day after
|
||||
## a particular certificate has had a notice generated.
|
||||
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
|
||||
option notify_certs_expiration = LOCAL_HOSTS;
|
||||
|
||||
|
||||
## The time before a certificate is going to expire that you would like
|
||||
## to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.
|
||||
option notify_when_cert_expiring_in = 30days;
|
||||
|
|
@ -42,24 +42,24 @@ event ssl_established(c: connection) &priority=3
|
|||
! c$ssl$cert_chain[0]?$x509 || ! c$ssl$cert_chain[0]?$sha1 )
|
||||
return;
|
||||
|
||||
local fuid = c$ssl$cert_chain_fuids[0];
|
||||
local fuid = c$ssl$cert_chain[0]$fuid;
|
||||
local cert = c$ssl$cert_chain[0]$x509$certificate;
|
||||
local hash = c$ssl$cert_chain[0]$sha1;
|
||||
|
||||
|
||||
if ( cert$not_valid_before > network_time() )
|
||||
NOTICE([$note=Certificate_Not_Valid_Yet,
|
||||
$conn=c, $suppress_for=1day,
|
||||
$msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
|
||||
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
|
||||
$fuid=fuid]);
|
||||
|
||||
|
||||
else if ( cert$not_valid_after < network_time() )
|
||||
NOTICE([$note=Certificate_Expired,
|
||||
$conn=c, $suppress_for=1day,
|
||||
$msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
|
||||
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
|
||||
$fuid=fuid]);
|
||||
|
||||
|
||||
else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
|
||||
NOTICE([$note=Certificate_Expires_Soon,
|
||||
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
|
||||
|
|
|
|||
|
|
@ -165,14 +165,14 @@ event ssl_established(c: connection) &priority=3
|
|||
{
|
||||
if ( ! c$ssl?$cert_chain )
|
||||
return;
|
||||
|
||||
|
||||
if ( |c$ssl$cert_chain| < 1 )
|
||||
return;
|
||||
|
||||
|
||||
if ( ! c$ssl$cert_chain[0]?$x509 )
|
||||
return;
|
||||
|
||||
local fuid = c$ssl$cert_chain_fuids[0];
|
||||
local fuid = c$ssl$cert_chain[0]$fuid;
|
||||
|
||||
if ( ! c$ssl$cert_chain[0]?$sha1 )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -6,71 +6,8 @@
|
|||
|
||||
module X509;
|
||||
|
||||
export {
|
||||
redef record Info += {
|
||||
## Logging of certificate is suppressed if set to F
|
||||
logcert: bool &default=T;
|
||||
};
|
||||
}
|
||||
|
||||
# We need both the Info and the fa_file record modified.
|
||||
# The only instant when we have both, the connection and the
|
||||
# file available without having to loop is in the file_over_new_connection
|
||||
# event.
|
||||
# When that event is raised, the x509 record in f$info (which is the only
|
||||
# record the logging framework gets) is not yet available. So - we
|
||||
# have to do this two times, sorry.
|
||||
# Alternatively, we could place it info Files::Info first - but we would
|
||||
# still have to copy it.
|
||||
redef record fa_file += {
|
||||
logcert: bool &default=T;
|
||||
};
|
||||
|
||||
hook X509::log_policy(rec: X509::Info, id: Log::ID, filter: Log::Filter)
|
||||
{
|
||||
if ( ! rec$logcert )
|
||||
if ( ! rec$host_cert )
|
||||
break;
|
||||
}
|
||||
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
|
||||
{
|
||||
if ( ( ! f?$conns ) || ( |f$conns| != 1 ) )
|
||||
return;
|
||||
|
||||
if ( ! f?$info || ! f$info?$mime_type )
|
||||
return;
|
||||
|
||||
if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
|
||||
|| f$info$mime_type == "application/pkix-cert" ) )
|
||||
return;
|
||||
|
||||
local c: connection &is_assigned;
|
||||
|
||||
for ( cid, c in f$conns )
|
||||
{
|
||||
if ( ! c?$ssl )
|
||||
return;
|
||||
}
|
||||
|
||||
local chain: vector of string;
|
||||
|
||||
if ( f$is_orig )
|
||||
chain = c$ssl$client_cert_chain_fuids;
|
||||
else
|
||||
chain = c$ssl$cert_chain_fuids;
|
||||
|
||||
if ( |chain| == 0 )
|
||||
{
|
||||
Reporter::warning(fmt("Certificate not in chain? (fuid %s)", f$id));
|
||||
return;
|
||||
}
|
||||
|
||||
# Check if this is the host certificate
|
||||
if ( f$id != chain[0] )
|
||||
f$logcert=F;
|
||||
}
|
||||
|
||||
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=2
|
||||
{
|
||||
f$info$x509$logcert = f$logcert; # info record available, copy information.
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ export {
|
|||
|
||||
}
|
||||
|
||||
# MD5 hash values for recently validated chains along with the OCSP validation
|
||||
# SHA256 hash values for recently validated chains along with the OCSP validation
|
||||
# status are kept in this table to avoid constant validation every time the same
|
||||
# certificate chain is seen.
|
||||
global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
|
||||
|
|
@ -49,7 +49,11 @@ event ssl_established(c: connection) &priority=3
|
|||
chain[i] = c$ssl$cert_chain[i]$x509$handle;
|
||||
}
|
||||
|
||||
local reply_id = cat(md5_hash(c$ssl$ocsp_response), join_string_vec(c$ssl$cert_chain_fuids, "."));
|
||||
local chain_fuids = "";
|
||||
for ( i in c$ssl$cert_chain )
|
||||
chain_fuids += cat(c$ssl$cert_chain[i]$fuid, ",");
|
||||
|
||||
local reply_id = cat(sha256_hash(c$ssl$ocsp_response), chain_fuids);
|
||||
|
||||
if ( reply_id in recently_ocsp_validated )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ event ssl_established(c: connection) &priority=3
|
|||
! c$ssl$cert_chain[0]?$x509 )
|
||||
return;
|
||||
|
||||
local fuid = c$ssl$cert_chain_fuids[0];
|
||||
local fuid = c$ssl$cert_chain[0]$fuid;
|
||||
local cert = c$ssl$cert_chain[0]$x509$certificate;
|
||||
local hash = c$ssl$cert_chain[0]$sha1;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue