mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
OCSP: re-enable logging, fix tests, fix x509 issue
Re-enable logging, now in policy because it probably is interesting to no-one. We also only log ocsp replies. Fix all tests. Fix an issue where ocsp replies were added to the x.509 certificate list.
This commit is contained in:
Johanna Amann
parent
c550521221
commit
c431d14eed
21 changed files with 323 additions and 571 deletions
|
|
@ -41,12 +41,15 @@ event bro_init() &priority=5
|
|||
|
||||
Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
|
||||
# Always calculate hashes. They are not necessary for base scripts
|
||||
# but very useful for identification, and required for policy scripts
|
||||
Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
|
||||
Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
|
||||
}
|
||||
|
||||
redef record Files::Info += {
|
||||
|
|
@ -57,9 +60,6 @@ redef record Files::Info += {
|
|||
|
||||
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
|
||||
{
|
||||
if ( ! f$info?$mime_type )
|
||||
f$info$mime_type = "application/pkix-cert";
|
||||
|
||||
f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,515 +0,0 @@
|
|||
@load base/protocols/http
|
||||
@load base/frameworks/files
|
||||
@load base/utils/paths
|
||||
@load base/utils/queue
|
||||
|
||||
# Note - this needs some cleaning up and is currently not loaded by default.
|
||||
|
||||
module OCSP;
|
||||
|
||||
export {
|
||||
## add one more argument to tell ocsp response or request
|
||||
redef record Files::AnalyzerArgs += {
|
||||
ocsp_type: string &optional;
|
||||
};
|
||||
|
||||
## ocsp logging
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
## type for pending ocsp request
|
||||
type PendingQueue: table[OCSP::CertId] of Queue::Queue;
|
||||
|
||||
## NOTE: one file could contain several requests
|
||||
## one ocsp request record
|
||||
type Info_req: record {
|
||||
## time for the request
|
||||
ts: time;
|
||||
## file id for this request or
|
||||
## hash of the GET url if it's GET request
|
||||
id: string &log &optional;
|
||||
## connection id
|
||||
cid: conn_id &optional;
|
||||
## connection uid
|
||||
cuid: string &optional;
|
||||
## version
|
||||
version: count &log &optional;
|
||||
## requestor name
|
||||
requestorName: string &log &optional;
|
||||
|
||||
## NOTE: the above are for one file which may contain
|
||||
## several ocsp requests
|
||||
|
||||
## one OCSP request may contain several OCSP requests
|
||||
## with different cert id; this is the index of the
|
||||
## OCSP request with cert_id in the big OCSP request
|
||||
index: count &log &optional;
|
||||
## request cert id
|
||||
certId: OCSP::CertId &optional;
|
||||
## HTTP method
|
||||
method: string &optional;
|
||||
};
|
||||
|
||||
## NOTE: one file could contain several response
|
||||
## one ocsp response record
|
||||
type Info_resp: record {
|
||||
## time for the response
|
||||
ts: time;
|
||||
## file id for this response
|
||||
id: string &log;
|
||||
## connection id
|
||||
cid: conn_id &optional;
|
||||
## connection uid
|
||||
cuid: string &optional;
|
||||
## responseStatus (different from cert status?)
|
||||
responseStatus: string &log &optional;
|
||||
## responseType
|
||||
responseType: string &log &optional;
|
||||
## version
|
||||
version: count &log &optional;
|
||||
## responderID
|
||||
responderID: string &log &optional;
|
||||
## producedAt
|
||||
producedAt: time &log &optional;
|
||||
## certificates
|
||||
certs: vector of opaque of x509 &optional;
|
||||
|
||||
## NOTE: the following are specific to one cert id
|
||||
## the above are for one file which may contain
|
||||
## several responses
|
||||
|
||||
## one OCSP response may contain several OCSP responses
|
||||
## with different cert id; this is the index of the
|
||||
## OCSP response with cert_id in the big OCSP response
|
||||
index: count &log &optional;
|
||||
##cert id
|
||||
certId: OCSP::CertId &optional;
|
||||
## certStatus (this is the response to look at)
|
||||
certStatus: string &log &optional;
|
||||
## thisUpdate
|
||||
thisUpdate: time &log &optional;
|
||||
## nextUpdate
|
||||
nextUpdate: time &log &optional;
|
||||
};
|
||||
|
||||
type Info: record {
|
||||
## timestamp for request if a corresponding request is present
|
||||
## OR timestamp for response if a corresponding request is not found
|
||||
ts: time &log;
|
||||
|
||||
## connection id
|
||||
cid: conn_id &log;
|
||||
|
||||
## connection uid
|
||||
cuid: string &log;
|
||||
|
||||
## cert id
|
||||
certId: OCSP::CertId &log &optional;
|
||||
|
||||
## request
|
||||
req: Info_req &log &optional;
|
||||
|
||||
## response timestamp
|
||||
resp_ts: time &log &optional;
|
||||
|
||||
## response
|
||||
resp: Info_resp &log &optional;
|
||||
|
||||
## HTTP method
|
||||
method: string &log &optional;
|
||||
|
||||
## HTTP record
|
||||
http: HTTP::Info &optional;
|
||||
};
|
||||
|
||||
## Event for accessing logged OCSP records.
|
||||
global log_ocsp: event(rec: Info);
|
||||
|
||||
global get_uri_prefix: function(s: string): string;
|
||||
}
|
||||
|
||||
redef record HTTP::Info += {
|
||||
# there should be one request and response but use Queue here
|
||||
# just in case
|
||||
ocsp_requests: PendingQueue &optional;
|
||||
ocsp_responses: PendingQueue &optional;
|
||||
|
||||
current_content_type: string &optional &default="";
|
||||
original_uri: string &optional;
|
||||
|
||||
# flag for checking get uri
|
||||
checked_get: bool &optional &default=F;
|
||||
|
||||
# uri prefix: this the GET url without ocsp request
|
||||
uri_prefix: string &optional;
|
||||
};
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
|
||||
{
|
||||
c$http$original_uri = original_URI;
|
||||
}
|
||||
|
||||
event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
|
||||
{
|
||||
c$http$current_content_type = to_lower(ty + "/" + subty);
|
||||
}
|
||||
|
||||
function check_ocsp_file(f: fa_file, meta: fa_metadata)
|
||||
{
|
||||
if ( f$source != "HTTP" || ! f?$http )
|
||||
return;
|
||||
|
||||
# call OCSP file analyzer
|
||||
if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request")
|
||||
{
|
||||
Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]);
|
||||
}
|
||||
else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response")
|
||||
{
|
||||
Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]);
|
||||
}
|
||||
}
|
||||
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5
|
||||
{
|
||||
if (f$source == "HTTP")
|
||||
check_ocsp_file(f, meta);
|
||||
}
|
||||
|
||||
function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
|
||||
{
|
||||
if ( http?$method )
|
||||
req_rec$method = http$method;
|
||||
}
|
||||
|
||||
function update_request_info(rec: Info_req, req: OCSP::Request)
|
||||
{
|
||||
if ( req?$version )
|
||||
rec$version = req$version;
|
||||
|
||||
if ( req?$requestorName )
|
||||
rec$requestorName = req$requestorName;
|
||||
}
|
||||
|
||||
function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId
|
||||
{
|
||||
local cert_id: OCSP::CertId = [];
|
||||
if ( one_req?$hashAlgorithm )
|
||||
cert_id$hashAlgorithm = one_req$hashAlgorithm;
|
||||
|
||||
if ( one_req?$issuerNameHash )
|
||||
cert_id$issuerNameHash = one_req$issuerNameHash;
|
||||
|
||||
if ( one_req?$issuerKeyHash )
|
||||
cert_id$issuerKeyHash = one_req$issuerKeyHash;
|
||||
|
||||
if ( one_req?$serialNumber )
|
||||
cert_id$serialNumber = one_req$serialNumber;
|
||||
|
||||
return cert_id;
|
||||
}
|
||||
|
||||
function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time)
|
||||
{
|
||||
local index: count = 0;
|
||||
if ( req?$requestList && |req$requestList| > 0 )
|
||||
{
|
||||
index += 1;
|
||||
for (x in req$requestList)
|
||||
{
|
||||
local one_req = req$requestList[x];
|
||||
local cert_id: OCSP::CertId = cert_id_from_request(one_req);
|
||||
local req_rec: OCSP::Info_req = [$ts = req_ts,
|
||||
$certId = cert_id,
|
||||
$cid = http$id,
|
||||
$cuid = http$uid,
|
||||
$index = index,
|
||||
$id = req_id];
|
||||
update_request_info(req_rec, req);
|
||||
|
||||
if ( ! http?$ocsp_requests )
|
||||
http$ocsp_requests = table();
|
||||
|
||||
if ( cert_id !in http$ocsp_requests )
|
||||
http$ocsp_requests[cert_id] = Queue::init();
|
||||
|
||||
update_http_info(http, req_rec);
|
||||
Queue::put(http$ocsp_requests[cert_id], req_rec);
|
||||
}
|
||||
}
|
||||
else if ( req?$version )
|
||||
{
|
||||
# it's ocsp request but has no request content
|
||||
# this is weird but log it anyway
|
||||
local req_rec_empty: OCSP::Info_req = [$ts = req_ts,
|
||||
$cid = http$id,
|
||||
$cuid = http$uid,
|
||||
$id = req_id];
|
||||
update_request_info(req_rec_empty, req);
|
||||
update_http_info(http, req_rec_empty);
|
||||
Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]);
|
||||
}
|
||||
}
|
||||
|
||||
event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
|
||||
{
|
||||
if ( ! f?$http )
|
||||
return;
|
||||
enq_request(f$http, req, f$id, network_time());
|
||||
}
|
||||
|
||||
function get_first_slash(s: string): string
|
||||
{
|
||||
local s_len = |s|;
|
||||
if (s[0] == "/")
|
||||
return "/" + get_first_slash(s[1:s_len]);
|
||||
else
|
||||
return "";
|
||||
}
|
||||
|
||||
function remove_first_slash(s: string): string
|
||||
{
|
||||
local s_len = |s|;
|
||||
if (s[0] == "/")
|
||||
return remove_first_slash(s[1:s_len]);
|
||||
else
|
||||
return s;
|
||||
}
|
||||
|
||||
function get_uri_prefix(s: string): string
|
||||
{
|
||||
local uri_prefix = get_first_slash(s);
|
||||
local w = split_string(s[|uri_prefix|:], /\//);
|
||||
local i = 0;
|
||||
while ( i < (|w| - 1) )
|
||||
{
|
||||
uri_prefix += w[i] + "/";
|
||||
i += 1;
|
||||
}
|
||||
return uri_prefix;
|
||||
}
|
||||
|
||||
function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
|
||||
{
|
||||
local parsed_req: OCSP::Request;
|
||||
if ( ! http?$original_uri )
|
||||
return parsed_req;;
|
||||
local uri_prefix: string = get_uri_prefix(http$original_uri);
|
||||
http$uri_prefix = uri_prefix;
|
||||
local ocsp_req_str: string = http$uri[|uri_prefix|:];
|
||||
parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
|
||||
if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
|
||||
{
|
||||
# normal parse fails, bug url, naively try each part
|
||||
local w = split_string(http$original_uri, /\//);
|
||||
local s = "";
|
||||
for ( i in w )
|
||||
{
|
||||
s += w[i] + "/";
|
||||
ocsp_req_str = http$uri[|s|:];
|
||||
parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
|
||||
if ( parsed_req?$requestList && |parsed_req$requestList| > 0 )
|
||||
{
|
||||
http$uri_prefix = s;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return parsed_req;
|
||||
}
|
||||
|
||||
function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp)
|
||||
{
|
||||
if ( single_resp?$certStatus )
|
||||
rec$certStatus = single_resp$certStatus;
|
||||
|
||||
if ( single_resp?$thisUpdate )
|
||||
rec$thisUpdate = single_resp$thisUpdate;
|
||||
|
||||
if ( single_resp?$nextUpdate )
|
||||
rec$nextUpdate = single_resp$nextUpdate;
|
||||
}
|
||||
|
||||
function update_response_info(rec: Info_resp, resp: OCSP::Response)
|
||||
{
|
||||
if ( resp?$responseStatus )
|
||||
rec$responseStatus = resp$responseStatus;
|
||||
|
||||
if ( resp?$responseType )
|
||||
rec$responseType = resp$responseType;
|
||||
|
||||
if ( resp?$version )
|
||||
rec$version = resp$version;
|
||||
|
||||
if ( resp?$responderID )
|
||||
rec$responderID = resp$responderID;
|
||||
|
||||
if ( resp?$producedAt )
|
||||
rec$producedAt = resp$producedAt;
|
||||
|
||||
if ( resp?$certs )
|
||||
rec$certs = resp$certs;
|
||||
}
|
||||
|
||||
function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp)
|
||||
{
|
||||
update_response_info(rec, resp);
|
||||
update_response_info_single(rec, single_resp);
|
||||
}
|
||||
|
||||
function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId
|
||||
{
|
||||
local cert_id: OCSP::CertId = [];
|
||||
if ( single_resp?$hashAlgorithm )
|
||||
cert_id$hashAlgorithm = single_resp$hashAlgorithm;
|
||||
|
||||
if ( single_resp?$issuerNameHash )
|
||||
cert_id$issuerNameHash = single_resp$issuerNameHash;
|
||||
|
||||
if ( single_resp?$issuerKeyHash )
|
||||
cert_id$issuerKeyHash = single_resp$issuerKeyHash;
|
||||
|
||||
if ( single_resp?$serialNumber )
|
||||
cert_id$serialNumber = single_resp$serialNumber;
|
||||
|
||||
return cert_id;
|
||||
}
|
||||
|
||||
event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
|
||||
{
|
||||
if ( ! f?$http )
|
||||
return;
|
||||
|
||||
if ( resp?$responses && |resp$responses| > 0 )
|
||||
{
|
||||
local index: count = 0;
|
||||
for (x in resp$responses)
|
||||
{
|
||||
index += 1;
|
||||
local single_resp: OCSP::SingleResp = resp$responses[x];
|
||||
local cert_id: OCSP::CertId = cert_id_from_response(single_resp);
|
||||
local resp_rec: Info_resp = [$ts = network_time(),
|
||||
$id = f$id,
|
||||
$cid = f$http$id,
|
||||
$cuid = f$http$uid,
|
||||
$index = index,
|
||||
$certId = cert_id];
|
||||
update_response_info_with_single(resp_rec, resp, single_resp);
|
||||
|
||||
if ( ! f$http?$ocsp_responses )
|
||||
f$http$ocsp_responses = table();
|
||||
|
||||
if ( cert_id !in f$http$ocsp_responses )
|
||||
f$http$ocsp_responses[cert_id] = Queue::init();
|
||||
|
||||
Queue::put(f$http$ocsp_responses[cert_id], resp_rec);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
# no response content? this is weird but log it anyway
|
||||
local resp_rec_empty: Info_resp = [$ts = network_time(),
|
||||
$id = f$id,
|
||||
$cid = f$http$id,
|
||||
$cuid = f$http$uid];
|
||||
update_response_info(resp_rec_empty, resp);
|
||||
local info_rec: Info = [$ts = resp_rec_empty$ts,
|
||||
$resp_ts = resp_rec_empty$ts,
|
||||
$resp = resp_rec_empty,
|
||||
$cid = f$http$id,
|
||||
$cuid = f$http$uid,
|
||||
$http = f$http];
|
||||
if ( f$http?$method )
|
||||
info_rec$method = f$http$method;
|
||||
Log::write(LOG, info_rec);
|
||||
}
|
||||
|
||||
# check if there is a OCSP GET request
|
||||
if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get )
|
||||
{
|
||||
f$http$checked_get = T;
|
||||
local req_get: OCSP::Request = check_ocsp_request_uri(f$http);
|
||||
enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts);
|
||||
}
|
||||
}
|
||||
|
||||
function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info)
|
||||
{
|
||||
local reqs: vector of Info_req;
|
||||
Queue::get_vector(q, reqs);
|
||||
for ( i in reqs )
|
||||
{
|
||||
local info_rec: Info = [$ts = reqs[i]$ts,
|
||||
$certId = reqs[i]$certId,
|
||||
$req = reqs[i],
|
||||
$cid = reqs[i]$cid,
|
||||
$cuid = reqs[i]$cuid,
|
||||
$http = http];
|
||||
if ( reqs[i]?$method )
|
||||
info_rec$method = reqs[i]$method;
|
||||
Log::write(LOG, info_rec);
|
||||
}
|
||||
}
|
||||
|
||||
function log_unmatched_reqs(http: HTTP::Info)
|
||||
{
|
||||
local reqs: PendingQueue = http$ocsp_requests;
|
||||
for ( cert_id in reqs )
|
||||
log_unmatched_reqs_queue(reqs[cert_id], http);
|
||||
clear_table(reqs);
|
||||
}
|
||||
|
||||
function start_log_ocsp(http: HTTP::Info)
|
||||
{
|
||||
if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
|
||||
return;
|
||||
|
||||
if ( ! http?$ocsp_responses )
|
||||
{
|
||||
log_unmatched_reqs(http);
|
||||
return;
|
||||
}
|
||||
|
||||
for ( cert_id in http$ocsp_responses )
|
||||
{
|
||||
while ( Queue::len(http$ocsp_responses[cert_id]) != 0 )
|
||||
{
|
||||
# have unmatched responses
|
||||
local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]);
|
||||
local info_rec: Info = [$ts = resp_rec$ts,
|
||||
$certId = resp_rec$certId,
|
||||
$resp_ts = resp_rec$ts,
|
||||
$resp = resp_rec,
|
||||
$cid = http$id,
|
||||
$cuid = http$uid,
|
||||
$http = http];
|
||||
|
||||
if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
|
||||
{
|
||||
# find a match
|
||||
local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]);
|
||||
info_rec$req = req_rec;
|
||||
info_rec$ts = req_rec$ts;
|
||||
if (Queue::len(http$ocsp_requests[cert_id]) == 0)
|
||||
delete http$ocsp_requests[cert_id];
|
||||
}
|
||||
if ( http?$method )
|
||||
info_rec$method = http$method;
|
||||
Log::write(LOG, info_rec);
|
||||
}
|
||||
if ( Queue::len(http$ocsp_responses[cert_id]) == 0 )
|
||||
delete http$ocsp_responses[cert_id];
|
||||
}
|
||||
if ( http?$ocsp_requests && |http$ocsp_requests| != 0 )
|
||||
log_unmatched_reqs(http);
|
||||
}
|
||||
|
||||
# log OCSP information
|
||||
event HTTP::log_http(rec: HTTP::Info)
|
||||
{
|
||||
start_log_ocsp(rec);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
|
||||
}
|
||||
|
|
@ -91,11 +91,23 @@ event bro_init() &priority=5
|
|||
$describe = SSL::describe_file]);
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
|
||||
{
|
||||
if ( ! c?$ssl )
|
||||
if ( |f$conns| != 1 )
|
||||
return;
|
||||
|
||||
if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
|
||||
|| f$info$mime_type == "application/pkix-cert" ) )
|
||||
return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
if ( ! f$conns[cid]?$ssl )
|
||||
return;
|
||||
|
||||
local c = f$conns[cid];
|
||||
}
|
||||
|
||||
if ( ! c$ssl?$cert_chain )
|
||||
{
|
||||
c$ssl$cert_chain = vector();
|
||||
|
|
@ -104,7 +116,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
c$ssl$client_cert_chain_fuids = string_vec();
|
||||
}
|
||||
|
||||
if ( is_orig )
|
||||
if ( f$is_orig )
|
||||
{
|
||||
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
|
||||
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
|
||||
|
|
|
|||
54
scripts/policy/files/x509/log-ocsp.bro
Normal file
54
scripts/policy/files/x509/log-ocsp.bro
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
##! Enable basic OCSP logging.
|
||||
|
||||
# This is in policy because probably just about no one is interested
|
||||
# in logging OCSP responses.
|
||||
|
||||
module OCSP;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
## Current timestamp.
|
||||
ts: time &log;
|
||||
|
||||
## File id of the ocsp reply.
|
||||
id: string &log;
|
||||
|
||||
hashAlgorithm: string &log;
|
||||
issuerNameHash: string &log;
|
||||
issuerKeyHash: string &log;
|
||||
serialNumber: string &log;
|
||||
certStatus: string &log;
|
||||
revoketime: time &log &optional;
|
||||
revokereason: string &log &optional;
|
||||
thisUpdate: time &log;
|
||||
nextUpdate: time &log &optional;
|
||||
};
|
||||
|
||||
global log_ocsp: event(rec: Info);
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
}
|
||||
|
||||
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
||||
{
|
||||
local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
|
||||
$issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
|
||||
$thisUpdate=thisUpdate);
|
||||
|
||||
if ( revokereason != "" )
|
||||
wr$revokereason = revokereason;
|
||||
|
||||
if ( time_to_double(revoketime) != 0 )
|
||||
wr$revoketime = revoketime;
|
||||
|
||||
if ( time_to_double(nextUpdate) != 0 )
|
||||
wr$nextUpdate = nextUpdate;
|
||||
|
||||
Log::write(LOG, wr);
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0
|
||||
ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption
|
||||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ocsp
|
||||
#open 2017-02-09-00-23-43
|
||||
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
|
||||
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string
|
||||
1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CHhAvVGS1DHFjwGM9 sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 1436577056.000000 1 good 1436577056.000000 1437181856.000000 GET
|
||||
#close 2017-02-09-00-23-43
|
||||
#open 2017-02-10-23-35-49
|
||||
#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
|
||||
#types time string string string string string string time string time time
|
||||
1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F good - - 1436577056.000000 1437181856.000000
|
||||
#close 2017-02-10-23-35-50
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
request, 0,
|
||||
request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ocsp
|
||||
#open 2017-02-09-00-24-29
|
||||
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
|
||||
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string
|
||||
1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST
|
||||
#close 2017-02-09-00-24-29
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
request, 0,
|
||||
request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
|
||||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
|
||||
ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
|
||||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ocsp
|
||||
#open 2017-02-09-00-24-32
|
||||
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
|
||||
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string
|
||||
1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 POST
|
||||
#close 2017-02-09-00-24-32
|
||||
#open 2017-02-11-00-00-41
|
||||
#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
|
||||
#types time string string string string string string time string time time
|
||||
1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000
|
||||
#close 2017-02-11-00-00-41
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
|
||||
ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
|
||||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ocsp
|
||||
#open 2017-02-09-00-24-34
|
||||
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
|
||||
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string
|
||||
1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 -
|
||||
#close 2017-02-09-00-24-34
|
||||
#open 2017-02-11-00-00-52
|
||||
#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
|
||||
#types time string string string string string string time string time time
|
||||
1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000
|
||||
#close 2017-02-11-00-00-52
|
||||
|
|
|
|||
|
|
@ -0,0 +1,20 @@
|
|||
request, 0,
|
||||
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
|
||||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
|
||||
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption
|
||||
request, 0,
|
||||
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
|
||||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
|
||||
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption
|
||||
request, 0,
|
||||
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
|
||||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
|
||||
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption
|
||||
request, 0,
|
||||
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
|
||||
ocsp_response_status, successful
|
||||
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
|
||||
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption
|
||||
|
|
@ -3,11 +3,11 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ocsp
|
||||
#open 2017-02-09-00-24-36
|
||||
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
|
||||
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string
|
||||
1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CHhAvVGS1DHFjwGM9 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436286514.000000 1 revoked 1436286514.000000 1443489162.000000 POST
|
||||
1438374032.650255 192.168.6.109 41813 23.5.251.27 80 ClEkJM2Vm5giqnMf4h sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436304214.000000 1 revoked 1436304214.000000 1443597239.000000 POST
|
||||
1438374032.759133 192.168.6.109 41814 23.5.251.27 80 C4J4Th3PJpwUYZZ6gc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436238224.000000 1 revoked 1436238224.000000 1443473859.000000 POST
|
||||
1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CtPZjS20MLrsMUOJi2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436321024.000000 1 revoked 1436321024.000000 1443459307.000000 POST
|
||||
#close 2017-02-09-00-24-36
|
||||
#open 2017-02-11-00-00-56
|
||||
#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
|
||||
#types time string string string string string string time string time time
|
||||
1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000
|
||||
1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000
|
||||
1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000
|
||||
1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000
|
||||
#close 2017-02-11-00-00-56
|
||||
|
|
|
|||
|
|
@ -2,3 +2,42 @@
|
|||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ocsp.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load files/x509/log-ocsp
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
}
|
||||
|
||||
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
|
||||
{
|
||||
print "extension: ", ext, global_resp;
|
||||
}
|
||||
|
||||
event ocsp_request(f: fa_file, version: count, requestorName: string)
|
||||
{
|
||||
print "request", version, requestorName;
|
||||
}
|
||||
|
||||
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
|
||||
{
|
||||
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
|
||||
}
|
||||
|
||||
event ocsp_response_status(f: fa_file, status: string)
|
||||
{
|
||||
print "ocsp_response_status", status;
|
||||
}
|
||||
|
||||
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
|
||||
{
|
||||
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
|
||||
}
|
||||
|
||||
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
||||
{
|
||||
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,42 @@
|
|||
# This tests a OCSP request missing response
|
||||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ocsp.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load files/x509/log-ocsp
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
}
|
||||
|
||||
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
|
||||
{
|
||||
print "extension: ", ext, global_resp;
|
||||
}
|
||||
|
||||
event ocsp_request(f: fa_file, version: count, requestorName: string)
|
||||
{
|
||||
print "request", version, requestorName;
|
||||
}
|
||||
|
||||
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
|
||||
{
|
||||
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
|
||||
}
|
||||
|
||||
event ocsp_response_status(f: fa_file, status: string)
|
||||
{
|
||||
print "ocsp_response_status", status;
|
||||
}
|
||||
|
||||
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
|
||||
{
|
||||
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
|
||||
}
|
||||
|
||||
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
||||
{
|
||||
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,3 +2,42 @@
|
|||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ocsp.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load files/x509/log-ocsp
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
}
|
||||
|
||||
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
|
||||
{
|
||||
print "extension: ", ext, global_resp;
|
||||
}
|
||||
|
||||
event ocsp_request(f: fa_file, version: count, requestorName: string)
|
||||
{
|
||||
print "request", version, requestorName;
|
||||
}
|
||||
|
||||
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
|
||||
{
|
||||
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
|
||||
}
|
||||
|
||||
event ocsp_response_status(f: fa_file, status: string)
|
||||
{
|
||||
print "ocsp_response_status", status;
|
||||
}
|
||||
|
||||
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
|
||||
{
|
||||
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
|
||||
}
|
||||
|
||||
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
||||
{
|
||||
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
# This tests OCSP response containing a certificate
|
||||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
|
||||
{
|
||||
if (resp?$certs)
|
||||
{
|
||||
for (x in resp$certs)
|
||||
{
|
||||
print x509_parse(resp$certs[x]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -2,3 +2,42 @@
|
|||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ocsp.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load files/x509/log-ocsp
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
}
|
||||
|
||||
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
|
||||
{
|
||||
print "extension: ", ext, global_resp;
|
||||
}
|
||||
|
||||
event ocsp_request(f: fa_file, version: count, requestorName: string)
|
||||
{
|
||||
print "request", version, requestorName;
|
||||
}
|
||||
|
||||
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
|
||||
{
|
||||
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
|
||||
}
|
||||
|
||||
event ocsp_response_status(f: fa_file, status: string)
|
||||
{
|
||||
print "ocsp_response_status", status;
|
||||
}
|
||||
|
||||
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
|
||||
{
|
||||
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
|
||||
}
|
||||
|
||||
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
||||
{
|
||||
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,3 +2,42 @@
|
|||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ocsp.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load files/x509/log-ocsp
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
}
|
||||
|
||||
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
|
||||
{
|
||||
print "extension: ", ext, global_resp;
|
||||
}
|
||||
|
||||
event ocsp_request(f: fa_file, version: count, requestorName: string)
|
||||
{
|
||||
print "request", version, requestorName;
|
||||
}
|
||||
|
||||
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
|
||||
{
|
||||
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
|
||||
}
|
||||
|
||||
event ocsp_response_status(f: fa_file, status: string)
|
||||
{
|
||||
print "ocsp_response_status", status;
|
||||
}
|
||||
|
||||
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
|
||||
{
|
||||
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
|
||||
}
|
||||
|
||||
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
||||
{
|
||||
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue