Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix a few bug for logging

Browse source
This commit is contained in:
Liang Zhu 2015-07-16 18:20:57 -07:00
parent 00a0313967
commit cb0aa7725e
2 changed files with 44 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

57
scripts/policy/protocols/ssl/ocsp-ssl-split.bro
View file

@ -148,11 +148,8 @@ redef record HTTP::Info += {
request_header_len: count &optional &default=0; request_header_len: count &optional &default=0;
response_header_len: count &optional &default=0; response_header_len: count &optional &default=0;
## connection start time, copied from connection ## connection used to get num_ocsp and connection start time
conn_start_ts: time &optional; conn: connection &optional;
## number of OCSP requests so far, copied from connection
num_ocsp: count &optional;
}; };
# add additional information to ssl info # add additional information to ssl info
@ -196,25 +193,48 @@ function clean_uri(s: string): string
return s; return s;
} }
# record the header length and update num_ocsp and conn_start_ts event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
{
if ( ! f?$http )
return;
# check if there is a OCSP GET request
if ( f$http?$method && f$http$method == "GET" )
f$http$conn$num_ocsp += 1;
}
event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
{
if ( ! f?$http )
return;
f$http$conn$num_ocsp += 1;
}
event http_reply (c: connection, version: string, code: count, reason: string)
{
if ( ! c?$http )
return;
if ( ! c$http?$conn )
c$http$conn = c;
}
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
if ( ! c?$http )
return;
if ( ! c$http?$conn )
c$http$conn = c;
}
# record the header length
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
{ {
# proceed only this http connection has ocsp request or response if ( ! c?$http )
if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses )
return; return;
if ( is_orig ) if ( is_orig )
{
c$http$request_header_len = stat$header_length; c$http$request_header_len = stat$header_length;
c$num_ocsp += 1;
}
else else
{
c$http$response_header_len = stat$header_length; c$http$response_header_len = stat$header_length;
} }
c$http$num_ocsp = c$num_ocsp;
c$http$conn_start_ts = c$start_time;
}
# add server hello time # add server hello time
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5
@ -317,8 +337,7 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
{ {
if ( http?$num_ocsp ) ocsp$num_ocsp = http$conn$num_ocsp;
ocsp$num_ocsp = http$num_ocsp;
if ( http?$method ) if ( http?$method )
ocsp$method = http$method; ocsp$method = http$method;
@ -365,7 +384,7 @@ function start_log_ocsp(rec: OCSP::Info)
local http: HTTP::Info = rec$http; local http: HTTP::Info = rec$http;
local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id,
$cuid = http$uid, $cuid = http$uid,
$conn_start_ts = http$conn_start_ts]; $conn_start_ts = http$conn$start_time];
if ( rec?$certId ) if ( rec?$certId )
info_ocsp_rec$cert_id = rec$certId; info_ocsp_rec$cert_id = rec$certId;

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2015-07-15-08-22-46 #open 2015-07-15-20-38-15
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
#types time addr port addr port string string string string string string count string time string string string count string string string string string string #types time addr port addr port string string string string string string count string count time string string string count string string count string string string string
1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 - 0 - 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z good 20150711011056Z 20150718011056Z GET 1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z 1 good 20150711011056Z 20150718011056Z GET
#close 2015-07-15-08-22-46 #close 2015-07-15-20-38-15