Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change SSL and X.509 logging format

Browse source 
This commit changes the SSL and X.509 logging formats to something that,
hopefully, slowly approaches what they will look like in the future.

X.509 log is not yet deduplicated; this will come in the future.

This commit introduces two new options, which determine if certificate
issuers and subjects are still logged in ssl.log. The default is to have
the host subject/issuer logged, but to remove client-certificate
information. Client-certificates are not a typically used feature
nowadays.
This commit is contained in:
Johanna Amann 2021-05-13 12:46:11 +01:00
parent 64ab1bbd47
commit b02f22a667
70 changed files with 586 additions and 543 deletions
Download patch file Download diff file Expand all files Collapse all files

6
testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ssl
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com F - - T FHRcwD4vPs7uj2D7m6,FjrkUT3ceLKRNN1Tnb (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US - -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fps client_cert_chain_fps subject issuer
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com F - - T a580247a25324adf4add5af648de4ac5798030dfd622f26a5f2280d7528ae244,250da2691be97c9a33ceef7e311c14fb01846e058a99cea9bd1125bd25a0cad5 (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US
#close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path x509
#open XXXX-XX-XX-XX-XX-XX
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
XXXXXXXXXX.XXXXXX FHRcwD4vPs7uj2D7m6 3 36F5DA5300000000505E CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - *.gstatic.com,gstatic.com,*.metric.gstatic.com - - - - -
XXXXXXXXXX.XXXXXX FjrkUT3ceLKRNN1Tnb 3 0B6771 CN=Google Internet Authority,O=Google Inc,C=US OU=Equifax Secure Certificate Authority,O=Equifax,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T 0
#fields ts fp certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool
XXXXXXXXXX.XXXXXX a580247a25324adf4add5af648de4ac5798030dfd622f26a5f2280d7528ae244 3 36F5DA5300000000505E CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - *.gstatic.com,gstatic.com,*.metric.gstatic.com - - - - - T F
XXXXXXXXXX.XXXXXX 250da2691be97c9a33ceef7e311c14fb01846e058a99cea9bd1125bd25a0cad5 3 0B6771 CN=Google Internet Authority,O=Google Inc,C=US OU=Equifax Secure Certificate Authority,O=Equifax,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - T 0 F F
#close XXXX-XX-XX-XX-XX-XX