From cb0aa7725ee2e3b131305b3777b29bf8b2ad894d Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 16 Jul 2015 18:20:57 -0700
Subject: [PATCH] fix a few bug for logging

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 59 ++++++++++++-------
 .../ocsp.log                                  | 10 ++--
 2 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 4594c55cfc..2862a96dfb 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -148,11 +148,8 @@ redef record HTTP::Info += {
 	request_header_len:       count  &optional &default=0;
 	response_header_len:      count  &optional &default=0;
 
-	## connection start time, copied from connection
-	conn_start_ts:            time  &optional;
-
-	## number of OCSP requests so far, copied from connection
-	num_ocsp:                 count &optional;
+	## connection used to get num_ocsp and connection start time
+	conn:                     connection &optional;
 };
 
 # add additional information to ssl info
@@ -196,24 +193,47 @@ function clean_uri(s: string): string
 		return s;
 	}	
 
-# record the header length and update num_ocsp and conn_start_ts
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
+	{
+        if ( ! f?$http )
+		return;
+        # check if there is a OCSP GET request
+	if ( f$http?$method && f$http$method == "GET" )
+		f$http$conn$num_ocsp += 1;
+	}
+
+event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
+	{
+        if ( ! f?$http )
+		return;
+	f$http$conn$num_ocsp += 1;
+	}
+
+event http_reply (c: connection, version: string, code: count, reason: string)
+	{
+	if ( ! c?$http )
+		return;
+	if ( ! c$http?$conn )
+		c$http$conn = c;
+	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	if ( ! c?$http )
+		return;
+	if ( ! c$http?$conn )
+		c$http$conn = c;
+	}
+
+# record the header length
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
 	{
-	# proceed only this http connection has ocsp request or response
-	if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses )
-		return;
-
+	if ( ! c?$http )
+		return;	
 	if ( is_orig )
-		{
 		c$http$request_header_len = stat$header_length;
-		c$num_ocsp += 1;
-		}
 	else
-		{
 		c$http$response_header_len = stat$header_length;
-		}
-	c$http$num_ocsp = c$num_ocsp;
-	c$http$conn_start_ts = c$start_time;
 	}
 
 # add server hello time
@@ -317,8 +337,7 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
 
 function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	{
-	if ( http?$num_ocsp )
-		ocsp$num_ocsp = http$num_ocsp;
+	ocsp$num_ocsp = http$conn$num_ocsp;
 
 	if ( http?$method )
 		ocsp$method = http$method;
@@ -365,7 +384,7 @@ function start_log_ocsp(rec: OCSP::Info)
 	local http: HTTP::Info = rec$http;
 	local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id,
 		                                          $cuid = http$uid,
-							  $conn_start_ts = http$conn_start_ts];
+							  $conn_start_ts = http$conn$start_time];
 
 	if ( rec?$certId )
 		info_ocsp_rec$cert_id = rec$certId;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
index 8ceb5e9770..692581c871 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-08-22-46
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
-1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CXWv6p3arKYeMETxOg	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	-	0	-	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	20150711011056Z	good	20150711011056Z	20150718011056Z	GET
-#close	2015-07-15-08-22-46
+#open	2015-07-15-20-38-15
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CXWv6p3arKYeMETxOg	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be	0	-	1	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	20150711011056Z	1	good	20150711011056Z	20150718011056Z	GET
+#close	2015-07-15-20-38-15