diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README deleted file mode 100644 index beabe8a3fc..0000000000 --- a/scripts/base/files/ocsp/README +++ /dev/null @@ -1 +0,0 @@ -Support for ocsp file analysis framework. diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro deleted file mode 100644 index d551be57d3..0000000000 --- a/scripts/base/files/ocsp/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./main \ No newline at end of file diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README index 8b50366cd2..b523eb4fc4 100644 --- a/scripts/base/files/x509/README +++ b/scripts/base/files/x509/README @@ -1 +1,2 @@ Support for X509 certificates with the file analysis framework. +Also supposrts OCSP requests and responses. diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/x509/ocsp.bro similarity index 99% rename from scripts/base/files/ocsp/main.bro rename to scripts/base/files/x509/ocsp.bro index 3474e3a797..4a4836eee5 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -2,6 +2,8 @@ @load base/utils/paths @load base/utils/queue +# Note - this needs some cleaning up and is currently not loaded by default. + module OCSP; export { diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 82379ec31c..65b41305c7 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -77,7 +77,6 @@ @load base/files/extract @load base/files/unified2 @load base/files/x509 -@load base/files/ocsp @load base/misc/find-checksum-offloading @load base/misc/find-filtered-trace diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 6667d9fbae..8f0da3ef2f 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,4 +1,4 @@ -##! Perform OCSP response validation. +##! Perform validation of stapled OCSP responses. @load base/frameworks/notice @load base/protocols/ssl diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index 9296f4e6de..ef17247997 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -5,4 +5,3 @@ add_subdirectory(hash) add_subdirectory(pe) add_subdirectory(unified2) add_subdirectory(x509) -add_subdirectory(ocsp) \ No newline at end of file diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt deleted file mode 100644 index 12c54c1c84..0000000000 --- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt +++ /dev/null @@ -1,10 +0,0 @@ - -include(BroPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_BINARY_DIR}) - -bro_plugin_begin(Bro OCSP) -bro_plugin_cc(OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif) -bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc deleted file mode 100644 index f7edbd1d6d..0000000000 --- a/src/file_analysis/analyzer/ocsp/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file in the main distribution directory for copyright. - - -#include "plugin/Plugin.h" - -#include "OCSP.h" - -namespace plugin { -namespace Bro_OCSP { - -class Plugin : public plugin::Plugin { -public: - plugin::Configuration Configure() - { - AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); - - plugin::Configuration config; - config.name = "Bro::OCSP"; - config.description = "OCSP analyzer"; - return config; - } -} plugin; - -} -} diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index aa663cfa6e..e95b4ae6e6 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro X509) -bro_plugin_cc(X509.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif) +bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) +bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc similarity index 99% rename from src/file_analysis/analyzer/ocsp/OCSP.cc rename to src/file_analysis/analyzer/x509/OCSP.cc index d54f1f345b..926f30cf37 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -5,8 +5,8 @@ #include "OCSP.h" #include "Event.h" -#include "events.bif.h" -#include "types.bif.h" +#include "ocsp_events.bif.h" +#include "ocsp_types.bif.h" #include "file_analysis/Manager.h" diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h similarity index 100% rename from src/file_analysis/analyzer/ocsp/OCSP.h rename to src/file_analysis/analyzer/x509/OCSP.h diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc index d9d1b71ab4..5a0b67136a 100644 --- a/src/file_analysis/analyzer/x509/Plugin.cc +++ b/src/file_analysis/analyzer/x509/Plugin.cc @@ -4,6 +4,7 @@ #include "plugin/Plugin.h" #include "X509.h" +#include "OCSP.h" namespace plugin { namespace Bro_X509 { @@ -13,10 +14,11 @@ public: plugin::Configuration Configure() { AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); + AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); plugin::Configuration config; config.name = "Bro::X509"; - config.description = "X509 analyzer"; + config.description = "X509 and OCSP analyzer"; return config; } } plugin; diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif similarity index 100% rename from src/file_analysis/analyzer/ocsp/events.bif rename to src/file_analysis/analyzer/x509/ocsp_events.bif diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif similarity index 95% rename from src/file_analysis/analyzer/ocsp/functions.bif rename to src/file_analysis/analyzer/x509/ocsp_functions.bif index 164b4a63ec..a5f31f9411 100644 --- a/src/file_analysis/analyzer/ocsp/functions.bif +++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif @@ -1,6 +1,6 @@ %%{ -#include "file_analysis/analyzer/ocsp/OCSP.h" -#include "types.bif.h" +#include "file_analysis/analyzer/x509/OCSP.h" +#include "ocsp_types.bif.h" %%} ## Parses a OCSP response into an OCSP::Response structure. diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif similarity index 100% rename from src/file_analysis/analyzer/ocsp/types.bif rename to src/file_analysis/analyzer/x509/ocsp_types.bif